analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | ssssssssssssss1IMAGEM19052019162151MIplkWRGFu.zip |
| Full analysis: | https://app.any.run/tasks/4fe0b09f-31b6-4624-b89f-4e97fc64b267 |
| Verdict: | Malicious activity |
| Analysis date: | May 20, 2019, 08:50:31 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | C57BF42AB51B4D8931BFAC7C3DB8D4A8 |
| SHA1: | D931A234FABE4BB7F498A7C4C094EE0F35AC4EA9 |
| SHA256: | 305D0E1E2F2046ACDA685B1BB17BD779704899D79CE1ACB5DBFEDFE9F54CB66D |
| SSDEEP: | 49152:HeYbLtdSk99wVhLA1e3jegh3gyPaCZwgZLli6UHNUpT:+eLtdOS1ezHhQySCZFc6oUV |
MALICIOUS
Application was dropped or rewritten from another process
- 1IMAGEM19052019162151MIplkWRGFu.exe (PID: 3848)
Writes to a start menu file
- 1IMAGEM19052019162151MIplkWRGFu.exe (PID: 3848)
SUSPICIOUS
Reads the BIOS version
- 1IMAGEM19052019162151MIplkWRGFu.exe (PID: 3848)
Reads Internet Cache Settings
- 1IMAGEM19052019162151MIplkWRGFu.exe (PID: 3848)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 116)
- 1IMAGEM19052019162151MIplkWRGFu.exe (PID: 3848)
Creates files in the user directory
- 1IMAGEM19052019162151MIplkWRGFu.exe (PID: 3848)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2019:05:19 16:55:19 |
| ZipCRC: | 0x7868f10f |
| ZipCompressedSize: | 1911114 |
| ZipUncompressedSize: | 2510848 |
| ZipFileName: | 1IMAGEM19052019162151MIplkWRGFu.exe |
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 116 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ssssssssssssss1IMAGEM19052019162151MIplkWRGFu.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 3848 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa116.25023\1IMAGEM19052019162151MIplkWRGFu.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa116.25023\1IMAGEM19052019162151MIplkWRGFu.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM | ||||
Total events
1 022
Read events
985
Write events
37
Delete events
0
Modification events
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\ssssssssssssss1IMAGEM19052019162151MIplkWRGFu.zip | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
Executable files
4
Suspicious files
2
Text files
0
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | C:\Users\admin\AppData\Local\Temp\drive2 | — | |
MD5:— | SHA256:— | |||
| 3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | C:\Users\admin\AppData\Roaming\Microsoft\Microsoft312.exe | — | |
MD5:— | SHA256:— | |||
| 3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk | lnk | |
MD5:7CD6C0FFCEB6392E4648424C2E5C9F97 | SHA256:A9CE2BC97A436C3BCDBC6F5757AEDF0E706E2714585586194D81563DA79807D1 | |||
| 3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | C:\Users\admin\AppData\Local\Temp\Microsoft082.zip | compressed | |
MD5:29B35F8941D3211C3FFD08F832F7596D | SHA256:FC81F4271F1BBA60EFD80DF0D991E8C9B6D802522AD951EA8B54F82AF2C5F136 | |||
| 3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\tj1[1].zip | compressed | |
MD5:29B35F8941D3211C3FFD08F832F7596D | SHA256:FC81F4271F1BBA60EFD80DF0D991E8C9B6D802522AD951EA8B54F82AF2C5F136 | |||
| 3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | C:\Users\admin\AppData\Local\Temp\Microsoft312.exe | executable | |
MD5:7AC334D16D6B6E343F27C0C906C365C0 | SHA256:92B29035BE194ED8FF46DE00D88F15F2955F91B285C7ED3454F94F8C430B2D44 | |||
| 116 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa116.25023\1IMAGEM19052019162151MIplkWRGFu.exe | executable | |
MD5:070C5B9BBC587284B3836BDD40CAD7A3 | SHA256:8852D738E2FB737C05C763640E4F4F1C4C26B28C1125B1739AB8D04B132B0B6D | |||
| 116 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa116.26870\1IMAGEM19052019162151MIplkWRGFu.exe | executable | |
MD5:070C5B9BBC587284B3836BDD40CAD7A3 | SHA256:8852D738E2FB737C05C763640E4F4F1C4C26B28C1125B1739AB8D04B132B0B6D | |||
| 3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | C:\Users\admin\AppData\Roaming\Microsoft\.Microsoft.exe | executable | |
MD5:7AC334D16D6B6E343F27C0C906C365C0 | SHA256:92B29035BE194ED8FF46DE00D88F15F2955F91B285C7ED3454F94F8C430B2D44 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | GET | 200 | 35.236.40.64:80 | http://64.40.236.35.bc.googleusercontent.com/catalog/seo_sitemap/product/tj/tj1.zip | US | compressed | 16.2 Mb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | 35.236.40.64:80 | 64.40.236.35.bc.googleusercontent.com | — | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
64.40.236.35.bc.googleusercontent.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3848 | 1IMAGEM19052019162151MIplkWRGFu.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Loader (Trojan.Agent.DDSA) Requesting Zip Archive |
Process | Message |
|---|---|
1IMAGEM19052019162151MIplkWRGFu.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |
1IMAGEM19052019162151MIplkWRGFu.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |