analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 20950944987.zip |
| Full analysis: | https://app.any.run/tasks/3fe63d5a-8bcd-4883-9f0e-806b5ca37be3 |
| Verdict: | Malicious activity |
| Analysis date: | January 27, 2025 at 06:19:22 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 90C514B7A2F91336514E992B044F4571 |
| SHA1: | 646C2D5B671CF411EB0128C4AAA85C11EEFBCFD0 |
| SHA256: | 31D843CCAD9A3D38E4D83E8C9729E47465FD587D573B2C6636F39EF11BD9717E |
| SSDEEP: | 98304:/cyaulaegeDMF2p5FYqwFNc+wyrcQ7Ar2of55dBiXe7pko27Ioikzxx3EodX0p2u:51Y6 |
MALICIOUS
Executing a file with an untrusted certificate
- a.exe (PID: 5464)
- OriginLegacyCLI.exe (PID: 4052)
Changes the autorun value in the registry
- OriginLegacyCLI.exe (PID: 4052)
SUSPICIOUS
Executable content was dropped or overwritten
- a.exe (PID: 5464)
- irsetup.exe (PID: 5004)
Reads security settings of Internet Explorer
- a.exe (PID: 5464)
- irsetup.exe (PID: 5004)
- AdobeCollabSync.exe (PID: 6576)
- AdobeCollabSync.exe (PID: 6684)
Creates a software uninstall entry
- irsetup.exe (PID: 5004)
Application launched itself
- AdobeCollabSync.exe (PID: 6576)
Checks Windows Trust Settings
- AdobeCollabSync.exe (PID: 6684)
INFO
The sample compiled with english language support
- WinRAR.exe (PID: 3724)
- a.exe (PID: 5464)
- irsetup.exe (PID: 5004)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3724)
Create files in a temporary directory
- a.exe (PID: 5464)
- irsetup.exe (PID: 5004)
Manual execution by a user
- a.exe (PID: 5464)
Reads the computer name
- a.exe (PID: 5464)
- irsetup.exe (PID: 5004)
- AdobeCollabSync.exe (PID: 6576)
- AdobeCollabSync.exe (PID: 6684)
- FullTrustNotifier.exe (PID: 4328)
Process checks computer location settings
- a.exe (PID: 5464)
- irsetup.exe (PID: 5004)
Checks supported languages
- a.exe (PID: 5464)
- irsetup.exe (PID: 5004)
- OriginLegacyCLI.exe (PID: 4052)
- AdobeCollabSync.exe (PID: 6576)
- AdobeCollabSync.exe (PID: 6684)
- FullTrustNotifier.exe (PID: 4328)
Creates files in the program directory
- irsetup.exe (PID: 5004)
Creates files or folders in the user directory
- irsetup.exe (PID: 5004)
- AdobeCollabSync.exe (PID: 6684)
Application launched itself
- Acrobat.exe (PID: 5592)
- AcroCEF.exe (PID: 6944)
Checks proxy server information
- AdobeCollabSync.exe (PID: 6576)
- AdobeCollabSync.exe (PID: 6684)
Reads the software policy settings
- AdobeCollabSync.exe (PID: 6684)
Reads the machine GUID from the registry
- AdobeCollabSync.exe (PID: 6684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x2d134076 |
| ZipCompressedSize: | 2014474 |
| ZipUncompressedSize: | 2212280 |
| ZipFileName: | 5f14648a1153e45b77cf309595e0f91fd41642b1f538cd1bdbf8e70e23e13748 |
Total processes
152
Monitored processes
22
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1344 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2632 --field-trial-handle=1604,i,8473562714054960041,6927489759731956414,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 1380 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2200 --field-trial-handle=1604,i,8473562714054960041,6927489759731956414,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Version: 23.1.20093.0 Modules
| |||||||||||||||
| 1512 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2216 --field-trial-handle=1604,i,8473562714054960041,6927489759731956414,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | AcroCEF.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Version: 23.1.20093.0 Modules
| |||||||||||||||
| 3724 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\20950944987.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3796 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | waitfor.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3988 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 "C:\programdata\session\2567_MDES0204_8_20134.pdf" | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe | — | Acrobat.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Version: 23.1.20093.0 Modules
| |||||||||||||||
| 4052 | c:\programdata\session\OriginLegacyCLI.exe | C:\ProgramData\session\OriginLegacyCLI.exe | irsetup.exe | ||||||||||||
User: admin Company: Electronic Arts Integrity Level: MEDIUM Description: OriginLegacyCLI Exit code: 0 Version: 8,1,0,1556 Modules
| |||||||||||||||
| 4328 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri | C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe | — | AdobeCollabSync.exe | |||||||||||
User: admin Integrity Level: LOW Exit code: 3221225547 Modules
| |||||||||||||||
| 4640 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2820 --field-trial-handle=1604,i,8473562714054960041,6927489759731956414,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 5004 | "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1747314 "__IRAFN:C:\Users\admin\Desktop\20950944987\a.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1693682860-607145093-2874071422-1001" | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | a.exe | ||||||||||||
User: admin Company: Indigo Rose Corporation Integrity Level: MEDIUM Description: Setup Application Exit code: 0 Version: 9.1.0.0 Modules
| |||||||||||||||
Total events
22 139
Read events
21 949
Write events
172
Delete events
18
Modification events
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\20950944987.zip | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | delete value | Name: | 15 |
Value: | |||
| (PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | delete value | Name: | 14 |
Value: | |||
Executable files
7
Suspicious files
185
Text files
16
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5464 | a.exe | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | executable | |
MD5:F1309DF61E1DC5DF781B90894C2E7DAC | SHA256:69A23AA500C5350612A42EA2B0297DE3F344C7C97A47B98EA770510DE69AFFEE | |||
| 5004 | irsetup.exe | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG | image | |
MD5:3220A6AEFB4FC719CC8849F060859169 | SHA256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765 | |||
| 3724 | WinRAR.exe | C:\Users\admin\Desktop\20950944987\5f14648a1153e45b77cf309595e0f91fd41642b1f538cd1bdbf8e70e23e13748 | executable | |
MD5:DFE0C87B2B2B7FC18A7BF6FF372FE6A1 | SHA256:5F14648A1153E45B77CF309595E0F91FD41642B1F538CD1BDBF8E70E23E13748 | |||
| 5004 | irsetup.exe | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG | image | |
MD5:AC40DED6736E08664F2D86A65C47EF60 | SHA256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA | |||
| 5004 | irsetup.exe | C:\ProgramData\session\Uninstall\uninstall.dat | binary | |
MD5:D1684E03CD0A60A7A2807936C270F76E | SHA256:D839F47D4066A72D2F314872E4634AD0FF17A694F434599180234EF92AC05AF7 | |||
| 5004 | irsetup.exe | C:\ProgramData\session\Uninstall\uniBB83.tmp | binary | |
MD5:32BB4D11A207D7B5B3A7CA8795D99905 | SHA256:111460F7124D4B001418E9AC2088BF7BCEA5A3566983D02D0CBCE9C3A210DFD0 | |||
| 5004 | irsetup.exe | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat | binary | |
MD5:E0456345518547FEFB19DD8E172EEACF | SHA256:A0677537B272A197C49EAE86B039371FCB39877C4867CF8381F5C51E21E82D1D | |||
| 5004 | irsetup.exe | C:\ProgramData\session\uninstall.exe | executable | |
MD5:F1309DF61E1DC5DF781B90894C2E7DAC | SHA256:69A23AA500C5350612A42EA2B0297DE3F344C7C97A47B98EA770510DE69AFFEE | |||
| 5004 | irsetup.exe | C:\ProgramData\session\Uninstall\uninstall.xml | xml | |
MD5:96969B014E92A577E5BE33C61966448B | SHA256:D11C4AB1F8947C03B713448D8F2BBCEDC7FDD07C8321E9558E2C09B720AA847D | |||
| 5004 | irsetup.exe | C:\ProgramData\session\lua5.1.dll | executable | |
MD5:B5FC476C1BF08D5161346CC7DD4CB0BA | SHA256:12CB9B8F59C00EF40EA8F28BFC59A29F12DC28332BF44B1A5D8D6A8823365650 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
86
DNS requests
26
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.216.77.26:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.97.136:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6280 | backgroundTaskHost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
624 | SIHClient.exe | GET | 200 | 2.16.97.136:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
624 | SIHClient.exe | GET | 200 | 2.16.97.136:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5592 | Acrobat.exe | POST | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/ | unknown | — | — | whitelisted |
5592 | Acrobat.exe | POST | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/ | unknown | — | — | whitelisted |
5592 | Acrobat.exe | POST | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/ | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
880 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 23.216.77.26:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 2.16.97.136:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5064 | SearchApp.exe | 104.126.37.171:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
1176 | svchost.exe | 20.190.160.14:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5064 | SearchApp.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |