analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | gazelbomb.zip |
| Full analysis: | https://app.any.run/tasks/3197d27b-1e49-4b9e-91e1-dc0647070157 |
| Verdict: | Malicious activity |
| Analysis date: | March 21, 2019, 10:12:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | FE148FDEA38B127AFB65BC81B46B6D71 |
| SHA1: | E95EE52816F5D4BB8738D4927805D82827450715 |
| SHA256: | 236D5D6B8A83C944D33FB620CB09C81A772477B29EB73AE6F55D82146E86389F |
| SSDEEP: | 3072:S17FI4XS92bIK9ADkKF/myanEG8A/+xkpQSZiju5+Tqrp:07d6KAYxEGL6jFW9 |
MALICIOUS
Application was dropped or rewritten from another process
- gazel.exe (PID: 2860)
- gazel.exe (PID: 3280)
- gazel.exe (PID: 2764)
- gazel.exe (PID: 2788)
- gazel.exe (PID: 3568)
- gazel.exe (PID: 3752)
- gazel.exe (PID: 1872)
- gazel.exe (PID: 4064)
- gazel.exe (PID: 2732)
- gazel.exe (PID: 2132)
- gazel.exe (PID: 908)
- gazel.exe (PID: 596)
- gazel.exe (PID: 1248)
- gazel.exe (PID: 1088)
- gazel.exe (PID: 4024)
- gazel.exe (PID: 2768)
- gazel.exe (PID: 580)
- gazel.exe (PID: 2032)
- gazel.exe (PID: 2628)
- gazel.exe (PID: 2120)
- gazel.exe (PID: 4032)
- gazel.exe (PID: 128)
- gazel.exe (PID: 2376)
- gazel.exe (PID: 4076)
- gazel.exe (PID: 3588)
- gazel.exe (PID: 2920)
- gazel.exe (PID: 1628)
- gazel.exe (PID: 240)
- gazel.exe (PID: 2944)
- gazel.exe (PID: 2100)
- gazel.exe (PID: 2548)
- gazel.exe (PID: 3288)
- gazel.exe (PID: 2640)
- gazel.exe (PID: 3428)
- gazel.exe (PID: 3520)
- gazel.exe (PID: 1660)
- gazel.exe (PID: 1004)
- gazel.exe (PID: 2452)
- gazel.exe (PID: 1640)
- gazel.exe (PID: 1748)
- gazel.exe (PID: 920)
- gazel.exe (PID: 3944)
- gazel.exe (PID: 3136)
- gazel.exe (PID: 2184)
- gazel.exe (PID: 2876)
- gazel.exe (PID: 2212)
- gazel.exe (PID: 2276)
- gazel.exe (PID: 2588)
- gazel.exe (PID: 2540)
- gazel.exe (PID: 1844)
- gazel.exe (PID: 2432)
- gazel.exe (PID: 2468)
- gazel.exe (PID: 1500)
- gazel.exe (PID: 3924)
- gazel.exe (PID: 3424)
- gazel.exe (PID: 1544)
- gazel.exe (PID: 1036)
- gazel.exe (PID: 3188)
- gazel.exe (PID: 2576)
- gazel.exe (PID: 1784)
- gazel.exe (PID: 304)
- gazel.exe (PID: 516)
- gazel.exe (PID: 3080)
- gazel.exe (PID: 2552)
- gazel.exe (PID: 1556)
- gazel.exe (PID: 1512)
- gazel.exe (PID: 2348)
- gazel.exe (PID: 1624)
- gazel.exe (PID: 264)
- gazel.exe (PID: 2148)
- gazel.exe (PID: 1744)
- gazel.exe (PID: 1908)
- gazel.exe (PID: 628)
- gazel.exe (PID: 2152)
- gazel.exe (PID: 3760)
- gazel.exe (PID: 2864)
- gazel.exe (PID: 3544)
- gazel.exe (PID: 2156)
- gazel.exe (PID: 4008)
- gazel.exe (PID: 324)
- gazel.exe (PID: 3892)
- gazel.exe (PID: 2176)
- gazel.exe (PID: 3748)
- gazel.exe (PID: 2464)
- gazel.exe (PID: 3780)
- gazel.exe (PID: 3040)
- gazel.exe (PID: 2724)
- gazel.exe (PID: 1620)
- gazel.exe (PID: 3764)
- gazel.exe (PID: 1960)
- gazel.exe (PID: 2216)
- gazel.exe (PID: 1444)
- gazel.exe (PID: 2248)
- gazel.exe (PID: 3276)
- gazel.exe (PID: 1824)
- gazel.exe (PID: 2388)
- gazel.exe (PID: 4036)
- gazel.exe (PID: 1764)
- gazel.exe (PID: 1220)
- gazel.exe (PID: 4072)
- gazel.exe (PID: 3920)
- gazel.exe (PID: 1788)
- gazel.exe (PID: 2268)
- gazel.exe (PID: 3064)
- gazel.exe (PID: 3560)
- gazel.exe (PID: 2720)
- gazel.exe (PID: 3404)
- gazel.exe (PID: 3536)
- gazel.exe (PID: 2444)
- gazel.exe (PID: 780)
- gazel.exe (PID: 1192)
- gazel.exe (PID: 1968)
- gazel.exe (PID: 2880)
- gazel.exe (PID: 976)
- gazel.exe (PID: 3908)
- gazel.exe (PID: 2636)
- gazel.exe (PID: 588)
- gazel.exe (PID: 788)
- gazel.exe (PID: 1156)
- gazel.exe (PID: 2976)
- gazel.exe (PID: 260)
- gazel.exe (PID: 2664)
- gazel.exe (PID: 1588)
- gazel.exe (PID: 4084)
- gazel.exe (PID: 3400)
- gazel.exe (PID: 3272)
- gazel.exe (PID: 3420)
- gazel.exe (PID: 2856)
- gazel.exe (PID: 2060)
- gazel.exe (PID: 3564)
- gazel.exe (PID: 1428)
- gazel.exe (PID: 3928)
- gazel.exe (PID: 1708)
- gazel.exe (PID: 1928)
- gazel.exe (PID: 2288)
- gazel.exe (PID: 3216)
- gazel.exe (PID: 2688)
- gazel.exe (PID: 1580)
- gazel.exe (PID: 2080)
- gazel.exe (PID: 1592)
- gazel.exe (PID: 2520)
- gazel.exe (PID: 2256)
- gazel.exe (PID: 1508)
- gazel.exe (PID: 4204)
- gazel.exe (PID: 5628)
- gazel.exe (PID: 3448)
- gazel.exe (PID: 4272)
- gazel.exe (PID: 5924)
- gazel.exe (PID: 5212)
- gazel.exe (PID: 5396)
- gazel.exe (PID: 5996)
- gazel.exe (PID: 4308)
- gazel.exe (PID: 4636)
- gazel.exe (PID: 5036)
- gazel.exe (PID: 2356)
- gazel.exe (PID: 4592)
- gazel.exe (PID: 4992)
- gazel.exe (PID: 4664)
- gazel.exe (PID: 6008)
- gazel.exe (PID: 5500)
- gazel.exe (PID: 1352)
- gazel.exe (PID: 5400)
- gazel.exe (PID: 4976)
- gazel.exe (PID: 4704)
- gazel.exe (PID: 4648)
- gazel.exe (PID: 5776)
- gazel.exe (PID: 4864)
- gazel.exe (PID: 4156)
- gazel.exe (PID: 4244)
- gazel.exe (PID: 5124)
- gazel.exe (PID: 6056)
- gazel.exe (PID: 5700)
- gazel.exe (PID: 5636)
- gazel.exe (PID: 4268)
- gazel.exe (PID: 6128)
- gazel.exe (PID: 5300)
- gazel.exe (PID: 5104)
- gazel.exe (PID: 4364)
- gazel.exe (PID: 4568)
- gazel.exe (PID: 5392)
- gazel.exe (PID: 4532)
- gazel.exe (PID: 5148)
- gazel.exe (PID: 4188)
- gazel.exe (PID: 5144)
- gazel.exe (PID: 5084)
- gazel.exe (PID: 4552)
- gazel.exe (PID: 5728)
- gazel.exe (PID: 1152)
- gazel.exe (PID: 4656)
- gazel.exe (PID: 4504)
- gazel.exe (PID: 5684)
- gazel.exe (PID: 5296)
- gazel.exe (PID: 5240)
- gazel.exe (PID: 5992)
- gazel.exe (PID: 5608)
- gazel.exe (PID: 4548)
- gazel.exe (PID: 5568)
- gazel.exe (PID: 4352)
- gazel.exe (PID: 5904)
- gazel.exe (PID: 5908)
- gazel.exe (PID: 4884)
- gazel.exe (PID: 4660)
- gazel.exe (PID: 4908)
- gazel.exe (PID: 6140)
- gazel.exe (PID: 4332)
- gazel.exe (PID: 5368)
- gazel.exe (PID: 3312)
- gazel.exe (PID: 4536)
- gazel.exe (PID: 5468)
- gazel.exe (PID: 5828)
- gazel.exe (PID: 4840)
- gazel.exe (PID: 4324)
- gazel.exe (PID: 5732)
- gazel.exe (PID: 5484)
- gazel.exe (PID: 4340)
- gazel.exe (PID: 5020)
- gazel.exe (PID: 5376)
- gazel.exe (PID: 4720)
- gazel.exe (PID: 4904)
- gazel.exe (PID: 5844)
- gazel.exe (PID: 4620)
- gazel.exe (PID: 5800)
- gazel.exe (PID: 4700)
- gazel.exe (PID: 5216)
- gazel.exe (PID: 5428)
- gazel.exe (PID: 5888)
- gazel.exe (PID: 5100)
- gazel.exe (PID: 5012)
- gazel.exe (PID: 5812)
- gazel.exe (PID: 6016)
- gazel.exe (PID: 5292)
- gazel.exe (PID: 6124)
- gazel.exe (PID: 5496)
- gazel.exe (PID: 5184)
- gazel.exe (PID: 6036)
- gazel.exe (PID: 4480)
- gazel.exe (PID: 4380)
- gazel.exe (PID: 4892)
- gazel.exe (PID: 6112)
- gazel.exe (PID: 5224)
- gazel.exe (PID: 6004)
- gazel.exe (PID: 6136)
- gazel.exe (PID: 4424)
- gazel.exe (PID: 5952)
- gazel.exe (PID: 5264)
- gazel.exe (PID: 4868)
- gazel.exe (PID: 5432)
- gazel.exe (PID: 332)
- gazel.exe (PID: 5880)
- gazel.exe (PID: 4476)
- gazel.exe (PID: 4828)
- gazel.exe (PID: 5476)
- gazel.exe (PID: 6132)
- gazel.exe (PID: 4180)
- gazel.exe (PID: 5288)
- gazel.exe (PID: 4460)
- gazel.exe (PID: 4944)
- gazel.exe (PID: 4444)
- gazel.exe (PID: 5892)
- gazel.exe (PID: 5156)
- gazel.exe (PID: 4420)
- gazel.exe (PID: 5620)
- gazel.exe (PID: 4288)
- gazel.exe (PID: 4508)
- gazel.exe (PID: 6028)
- gazel.exe (PID: 4812)
- gazel.exe (PID: 5548)
- gazel.exe (PID: 5172)
- gazel.exe (PID: 4936)
- gazel.exe (PID: 5964)
- gazel.exe (PID: 5268)
- gazel.exe (PID: 4612)
- gazel.exe (PID: 4108)
- gazel.exe (PID: 4744)
- gazel.exe (PID: 5984)
- gazel.exe (PID: 4140)
- gazel.exe (PID: 5576)
- gazel.exe (PID: 5200)
- gazel.exe (PID: 5352)
- gazel.exe (PID: 4756)
- gazel.exe (PID: 5040)
SUSPICIOUS
No suspicious indicators.INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | bat.bat |
|---|---|
| ZipUncompressedSize: | 92 |
| ZipCompressedSize: | 83 |
| ZipCRC: | 0xecd8e27c |
| ZipModifyDate: | 2019:03:21 13:11:25 |
| ZipCompression: | Deflated |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 20 |
Total processes
319
Monitored processes
286
Malicious processes
19
Suspicious processes
50
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 660 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\gazelbomb.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 2372 | cmd /c ""C:\Users\admin\Desktop\bat.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2764 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
| 2860 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
| 2788 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
| 3568 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
| 3280 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
| 4064 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
| 2132 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
| 1872 | gazel.exe | C:\Users\admin\Desktop\gazel.exe | — | cmd.exe |
User: admin Company: от создателей сапер-пидорас Integrity Level: MEDIUM Version: 1.00 | ||||
Total events
596
Read events
550
Write events
46
Delete events
0
Modification events
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\gazelbomb.zip | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | @C:\Windows\System32\acppage.dll,-6002 |
Value: Windows Batch File | |||
| (PID) Process: | (3568) gazel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm |
| Operation: | write | Name: | fdwSupport |
Value: 1 | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 660 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa660.15602\bat.bat | — | |
MD5:— | SHA256:— | |||
| 660 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa660.15602\gazel.exe | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report