analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0efd95e4d3502e20b7120685050abae2.zip

Full analysis: https://app.any.run/tasks/f78ae84a-417e-43c0-bcc6-b9dbc704074e
Verdict: Malicious activity
Analysis date: May 21, 2022, 04:31:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7C5AE7CCCF850D72F2DFA17799290F00

SHA1:

D5D8F78230DB88F44CAD88935E10AC428044C456

SHA256:

22D0F3491EC9FDEF84151E70A706EBCD4324298E1EFC5228CAE1DB4D1010B8DD

SSDEEP:

768:rT/VnUtLLSG+/uk1S84RBPsVBld4ALmiLQ2f:PWtV+/uk1bcPEBkBi3f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 3356)
      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 2540)
      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 2232)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2832)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2832)
      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 2232)
      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 2540)
      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 3356)
    • Reads the computer name

      • WinRAR.exe (PID: 2832)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2832)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2832)
    • Uses RUNDLL32.EXE to load library

      • control.exe (PID: 2496)
    • Executed via COM

      • DllHost.exe (PID: 3516)
    • Reads the time zone

      • rundll32.exe (PID: 3660)
  • INFO

    • Manual execution by user

      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 2232)
      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 3356)
      • 0efd95e4d3502e20b7120685050abae2.exe (PID: 2540)
      • control.exe (PID: 2496)
    • Checks supported languages

      • rundll32.exe (PID: 3660)
      • DllHost.exe (PID: 3516)
      • control.exe (PID: 2496)
    • Reads the computer name

      • control.exe (PID: 2496)
      • rundll32.exe (PID: 3660)
      • DllHost.exe (PID: 3516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 0efd95e4d3502e20b7120685050abae2
ZipUncompressedSize: 44032
ZipCompressedSize: 28909
ZipCRC: 0x60c4e6c4
ZipModifyDate: 2012:10:13 14:26:15
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe 0efd95e4d3502e20b7120685050abae2.exe no specs 0efd95e4d3502e20b7120685050abae2.exe no specs 0efd95e4d3502e20b7120685050abae2.exe control.exe no specs rundll32.exe no specs timedate.cpl no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\0efd95e4d3502e20b7120685050abae2.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3356"C:\Users\admin\Desktop\0efd95e4d3502e20b7120685050abae2.exe" C:\Users\admin\Desktop\0efd95e4d3502e20b7120685050abae2.exeExplorer.EXE
User:
admin
Company:
mst software GmbH, Germany
Integrity Level:
MEDIUM
Description:
mst Defrag SDK Service
Exit code:
0
Version:
3,6,0,6165
2232"C:\Users\admin\Desktop\0efd95e4d3502e20b7120685050abae2.exe" C:\Users\admin\Desktop\0efd95e4d3502e20b7120685050abae2.exeExplorer.EXE
User:
admin
Company:
mst software GmbH, Germany
Integrity Level:
MEDIUM
Description:
mst Defrag SDK Service
Exit code:
0
Version:
3,6,0,6165
2540"C:\Users\admin\Desktop\0efd95e4d3502e20b7120685050abae2.exe" C:\Users\admin\Desktop\0efd95e4d3502e20b7120685050abae2.exe
Explorer.EXE
User:
admin
Company:
mst software GmbH, Germany
Integrity Level:
HIGH
Description:
mst Defrag SDK Service
Exit code:
0
Version:
3,6,0,6165
2496"C:\Windows\System32\control.exe" "C:\Windows\System32\timedate.cpl",C:\Windows\System32\control.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3660"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\timedate.cpl",C:\Windows\system32\rundll32.execontrol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516C:\Windows\system32\DllHost.exe /Processid:{9DF523B0-A6C0-4EA9-B5F1-F4565C3AC8B8}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 321
Read events
1 289
Write events
32
Delete events
0

Modification events

(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2832) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\0efd95e4d3502e20b7120685050abae2.zip
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2832WinRAR.exeC:\Users\admin\Desktop\0efd95e4d3502e20b7120685050abae2executable
MD5:0EFD95E4D3502E20B7120685050ABAE2
SHA256:E19C8F1EA80D6CF9D3348A07C7428BBCDFC66EA5A192F63E22A8E29CFDA5AAF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
destromas.com
unknown
alexdecorris.com
unknown
bowsessexifid.com
unknown
ferchogaetz.com
unknown
toffieconciati.com
unknown
mostestwaes.com
unknown

Threats

No threats detected
No debug info