analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

filefinder.zip

Full analysis: https://app.any.run/tasks/97d24fad-2f19-4684-95bd-b08d51af973f
Verdict: Malicious activity
Analysis date: February 21, 2020, 16:32:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

452AE405ADE60A3B25A267DF703AD049

SHA1:

2FC64670D01952532B0704D29E97B98282C1F0C0

SHA256:

263B4EA72C0E13702332618D6FEBEC6AF874CD4FD435B65748799CE6D77FB0CD

SSDEEP:

6144:5+m2vZ9zrYFgYKJR2F7Tx4KvxB1UCTHoayCc9Ea7fpr2ZTf/+//:57+dYmJRujf1Uuoahouy//

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3548)
      • FileFinder.exe (PID: 3228)
    • Application was dropped or rewritten from another process

      • FileFinder.exe (PID: 3228)
      • FileFinder.exe (PID: 2128)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2508)
      • FileFinder.exe (PID: 3228)
    • Low-level read access rights to disk partition

      • FileFinder.exe (PID: 3228)
    • Creates executable files which already exist in Windows

      • FileFinder.exe (PID: 3228)
    • Connects to server without host name

      • FileFinder.exe (PID: 3228)
  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 2508)
      • FileFinder.exe (PID: 2128)
      • FileFinder.exe (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:08:31 09:53:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: filefinder/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe searchprotocolhost.exe no specs filefinder.exe no specs filefinder.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\filefinder.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2508"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\filefinder.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3548"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2128"C:\Users\admin\Desktop\filefinder\FileFinder.exe" C:\Users\admin\Desktop\filefinder\FileFinder.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.0.5
Modules
Images
c:\users\admin\desktop\filefinder\filefinder.exe
c:\systemroot\system32\ntdll.dll
3228"C:\Users\admin\Desktop\filefinder\FileFinder.exe" C:\Users\admin\Desktop\filefinder\FileFinder.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.5
Modules
Images
c:\users\admin\desktop\filefinder\filefinder.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
Total events
700
Read events
686
Write events
14
Delete events
0

Modification events

(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\filefinder.zip
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2508WinRAR.exeC:\Users\admin\Desktop\filefinder\FileFinder.exeexecutable
MD5:8DF7EC1035C7A4D7D64ADEE4414A90BB
SHA256:8EE2BD6733BC02BC44EB5B54495353C8BB932CE7CAB6084502329A6D22E641FA
2508WinRAR.exeC:\Users\admin\Desktop\filefinder\filefinder.dllexecutable
MD5:1DB3F4A61BBFC61EE80BD3FEAFB344A4
SHA256:AA3FBA9E4FED7861E3399FF0D3B5DC85D7D5E7E5A5129E54BA74FFA1B0A3AC4A
3228FileFinder.exeC:\Users\admin\Desktop\filefinder\download\c133788b393eec01439ad997d24e66ed\explorer.exeexecutable
MD5:C133788B393EEC01439AD997D24E66ED
SHA256:8AD2175466E700801D484A8005D0DE17F045BD8E7F33685CC99DF7F45E5445AF
2508WinRAR.exeC:\Users\admin\Desktop\filefinder\zlib1.dllexecutable
MD5:80E41408F6D641DC1C0F5353A0CC8125
SHA256:B09537250201236472CCD3CAFF5C0C12A5FAD262E1E951350E9E5ED2A81D9DDE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1 424
TCP/UDP connections
1 454
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/dp.php
US
text
32 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
3228
FileFinder.exe
POST
200
45.32.201.56:80
http://45.32.201.56/checkallfiles/uploadfile.php
US
text
105 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3228
FileFinder.exe
45.32.201.56:80
Choopa, LLC
US
unknown
45.32.201.56:80
Choopa, LLC
US
unknown
3228
FileFinder.exe
45.63.48.32:80
Choopa, LLC
US
unknown

DNS requests

No data

Threats

No threats detected
No debug info