analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2.zip

Full analysis: https://app.any.run/tasks/22050599-2511-4df0-bd88-1e754afde70e
Verdict: Malicious activity
Analysis date: August 25, 2019, 13:28:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

DE9D3AEFA44B939746BBAFAD78F928F7

SHA1:

63423392FD2A381DFEEE86649EEB500D26244398

SHA256:

34FEC2C1144A9C701C8E13BB6CED7A02343F39B0378921C209D22BC5BA99DCC0

SSDEEP:

196608:XtB0M6AAcTlQft+4i0fsa22hQWAG572eTpRQcqmDR+VdARyZ:X76ZfNxfsa22CWAG4IjQcR9CAQZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Windscribe Checker.exe (PID: 3600)
      • Windscribe Checker.exe (PID: 3888)
    • Loads dropped or rewritten executable

      • Windscribe Checker.exe (PID: 3600)
      • WerFault.exe (PID: 2880)
  • SUSPICIOUS

    • Application launched itself

      • Windscribe Checker.exe (PID: 3888)
    • Loads Python modules

      • Windscribe Checker.exe (PID: 3600)
      • WerFault.exe (PID: 2880)
    • Executable content was dropped or overwritten

      • Windscribe Checker.exe (PID: 3888)
      • WinRAR.exe (PID: 3748)
      • Windscribe Checker.exe (PID: 3600)
    • Starts CMD.EXE for commands execution

      • Windscribe Checker.exe (PID: 3600)
  • INFO

    • Manual execution by user

      • Windscribe Checker.exe (PID: 3888)
    • Dropped object may contain Bitcoin addresses

      • Windscribe Checker.exe (PID: 3888)
    • Application was crashed

      • Windscribe Checker.exe (PID: 3600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:08:25 09:07:10
ZipCRC: 0xac8c7fbb
ZipCompressedSize: 13
ZipUncompressedSize: 13
ZipFileName: combo.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe windscribe checker.exe windscribe checker.exe cmd.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3748"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3888"C:\Users\admin\Desktop\Windscribe Checker.exe" C:\Users\admin\Desktop\Windscribe Checker.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3
3600"C:\Users\admin\Desktop\Windscribe Checker.exe" C:\Users\admin\Desktop\Windscribe Checker.exe
Windscribe Checker.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3
2840C:\Windows\system32\cmd.exe /c clsC:\Windows\system32\cmd.exeWindscribe Checker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2880C:\Windows\system32\WerFault.exe -u -p 3600 -s 328C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 551
Read events
2 531
Write events
20
Delete events
0

Modification events

(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3748) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\2.zip
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
19
Suspicious files
2
Text files
15
Unknown types
1

Dropped files

PID
Process
Filename
Type
3748WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3748.21689\Windscribe Checker.exeexecutable
MD5:F699C9E4FD8861F73385C5120EC1C238
SHA256:D54413CF35F5676B39A1CA98BECDF2B5084BADC2EA9BB6AE9CB8367723F9A868
3888Windscribe Checker.exeC:\Users\admin\AppData\Local\Temp\_MEI38882\_cffi_backend.cp36-win32.pydexecutable
MD5:37870C71B315B371553FC91EE1D84643
SHA256:4CBC9DEF520E2FAF4699B546FD383254F301357C9ABC1340C53C84DF619A6B3F
3888Windscribe Checker.exeC:\Users\admin\AppData\Local\Temp\_MEI38882\cryptography\hazmat\bindings\_openssl.cp36-win32.pydexecutable
MD5:09A6A2D3999BB5BD08197EA86E6388B4
SHA256:9B77B0B0895249BB7DBEBC360D64C3C4B616F3553DCE187BD26322239EEEB6FD
3888Windscribe Checker.exeC:\Users\admin\AppData\Local\Temp\_MEI38882\_decimal.pydexecutable
MD5:2BA5187C121B584A3D6BDAC2C6D3FA71
SHA256:B1A7011BF56081CFCA8EFB9423AD6FEB2833D1F24A7E87244D94D40F1ACE3B71
3888Windscribe Checker.exeC:\Users\admin\AppData\Local\Temp\_MEI38882\_lzma.pydexecutable
MD5:2B6CF186EBA511E0903C9314B865D3B9
SHA256:B1A6D7CB4F88A5EB2C30908836F7EED1F1C8294BAAEE94E9AB4B8BB47FE0F6DC
3888Windscribe Checker.exeC:\Users\admin\AppData\Local\Temp\_MEI38882\_bz2.pydexecutable
MD5:F97C69209C208C1DD472C5E0ED760456
SHA256:9A0B806E6A764D6109DA7762F57A92381DB329D1B3EC5ADBFBD3CF61EF81E3C0
3888Windscribe Checker.exeC:\Users\admin\AppData\Local\Temp\_MEI38882\python36.dllexecutable
MD5:1AC97DBE4A81FC2BEB509F8DA5A3E8B6
SHA256:258DD151E3EC9632D0B49488CC689BCBAB172648854E121DC6B5F2E43E58CB62
3748WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3748.21689\combo.txttext
MD5:753700549D05DAC9EC82DA32DCEFE3D5
SHA256:B17270C86CF8BBB0F8FCAB3C417C5EDC215EDF3E31AC73D4119C4FDE3095163E
3748WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3748.21689\hits.txttext
MD5:46AB2997CA006D78B35DB8F6F9DE7662
SHA256:62F51D296D3429D8F502E2A1CF5FD430A118615B9C4B97D7FBAC538E9966FE26
3888Windscribe Checker.exeC:\Users\admin\AppData\Local\Temp\_MEI38882\lxml\_elementpath.cp36-win32.pydexecutable
MD5:93D7B3C7F353B5F5AE12A3890A5F940D
SHA256:6F2D698C02507872A68E5970EB7AE64506A7ADA3A58F2F64F0AD4C31726CEE63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info