analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OpiumV4.zip

Full analysis: https://app.any.run/tasks/6116d905-6923-4863-be44-898c15005df8
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:20:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8363875C33DBE92CDEB3AD03FD7F8638

SHA1:

AD5CF931EA527FF2F14AEE9E356F72642E2EA53A

SHA256:

358D4B79DAF1215B26FFAE1FF0D33E9C39EB5C7D2B5A06751EA826075260EC18

SSDEEP:

393216:/AOtv1p0GF4uhP/yNwoWqXsC5ig8P4PyIiLYlh8YS/Z:YOtv34uhP/yxD9igGhJS8N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • OpiumV4.exe (PID: 3144)
      • WinRAR.exe (PID: 1940)
    • Loads dropped or rewritten executable

      • WerFault.exe (PID: 3364)
      • SearchProtocolHost.exe (PID: 2032)
      • WerFault.exe (PID: 2996)
    • Application was dropped or rewritten from another process

      • OpiumV4.exe (PID: 3144)
      • OPIUMV4.EXE (PID: 3644)
      • OPIUMVNEP.EXE (PID: 2016)
      • OPIUMVNEP.EXE (PID: 4056)
      • OpiumV4.exe (PID: 1684)
      • OPIUMV4.EXE (PID: 2568)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 1940)
      • OpiumV4.exe (PID: 3144)
      • OPIUMV4.EXE (PID: 3644)
      • OPIUMVNEP.EXE (PID: 2016)
      • OPIUMVNEP.EXE (PID: 4056)
      • OPIUMV4.EXE (PID: 2568)
      • OpiumV4.exe (PID: 1684)
    • Checks supported languages

      • WinRAR.exe (PID: 1940)
      • OPIUMV4.EXE (PID: 3644)
      • OpiumV4.exe (PID: 3144)
      • OPIUMVNEP.EXE (PID: 2016)
      • OpiumV4.exe (PID: 1684)
      • OPIUMV4.EXE (PID: 2568)
      • OPIUMVNEP.EXE (PID: 4056)
    • Executable content was dropped or overwritten

      • OpiumV4.exe (PID: 3144)
      • WinRAR.exe (PID: 1940)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1940)
      • OpiumV4.exe (PID: 3144)
    • Reads Environment values

      • WerFault.exe (PID: 3364)
      • OPIUMVNEP.EXE (PID: 2016)
      • OPIUMVNEP.EXE (PID: 4056)
      • WerFault.exe (PID: 2996)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 1940)
    • Checks supported languages

      • WerFault.exe (PID: 3364)
      • WerFault.exe (PID: 2996)
    • Reads the computer name

      • WerFault.exe (PID: 3364)
      • WerFault.exe (PID: 2996)
    • Manual execution by user

      • OpiumV4.exe (PID: 1684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Guna.UI2.dll
ZipUncompressedSize: 2331592
ZipCompressedSize: 982509
ZipCRC: 0x3dadd446
ZipModifyDate: 2022:01:07 18:25:18
ZipCompression: Deflated
ZipBitFlag: 0x0800
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
10
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe opiumv4.exe opiumv4.exe opiumvnep.exe werfault.exe searchprotocolhost.exe no specs opiumv4.exe opiumv4.exe opiumvnep.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OpiumV4.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3144"C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\OpiumV4.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\OpiumV4.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
3644"C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE" C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE
OpiumV4.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OpiumV4
Exit code:
3762504530
Version:
1.0.0.0
2016"C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE" C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE
OpiumV4.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OpiumV4Stub
Exit code:
0
Version:
1.0.0.0
3364C:\Windows\system32\WerFault.exe -u -p 3644 -s 544C:\Windows\system32\WerFault.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2032"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1684"C:\Users\admin\Desktop\OpiumV4.exe" C:\Users\admin\Desktop\OpiumV4.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2568"C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE" C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE
OpiumV4.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OpiumV4
Exit code:
3762504530
Version:
1.0.0.0
4056"C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE" C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE
OpiumV4.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OpiumV4Stub
Exit code:
0
Version:
1.0.0.0
2996C:\Windows\system32\WerFault.exe -u -p 2568 -s 548C:\Windows\system32\WerFault.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 805
Read events
4 735
Write events
0
Delete events
0

Modification events

No data
Executable files
37
Suspicious files
4
Text files
62
Unknown types
2

Dropped files

PID
Process
Filename
Type
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\frmMain.cstext
MD5:9E53A359C4A365921E064A57109198A2
SHA256:0E476CDD77D31F9770D8642429584162C34147C3E14E4712B72A24C0CFFB479D
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Confuser.DynCipher.dllexecutable
MD5:6EBC90E77623826E71DED623A296660B
SHA256:CDAD0A76F0D3F3E73FCDC6E5E6D98B0E88ADCC2353C54344375B80197A86FCF6
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\Binaries\whysosadtext
MD5:FC3C88C2080884D6C995D48E172FBC4F
SHA256:1637CE704A463BD3C91A38AA02D1030107670F91EE3F0DD4FA13D07A77BA2664
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Confuser.Runtime.dllexecutable
MD5:42E45FA8BB26246ED3B3C2760E782912
SHA256:C8BCBE8C706659824ED001CAF0BE23B8470A99C0391A23C419884AD93DF3CCE0
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1940.40600\Newtonsoft.Json.dllexecutable
MD5:5E02DDAF3B02E43E532FC6A52B04D14B
SHA256:78BEDD9FCE877A71A8D8FF9A813662D8248361E46705C4EF7AFC61D440FF2EEB
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Teen.dllexecutable
MD5:FB9D14387B89B30606D094AE8CD93EA0
SHA256:68EAC14CA256F9871CC85FFC77C86B1D6378E6C900DFF34F8B697BE07B77446A
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\README.txttext
MD5:BC84297EE7083EA8F69099CC2F9BDD10
SHA256:B4D5632511AF66EE90F370511AD97D2C0E7CC4E078FA172A8B99E79FB05251BA
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\Binaries\configbinary
MD5:1BA367D0F9AAC0F650E65AB7401776C0
SHA256:68C4EC552C98F3B5A4744E4EEFADD6364DC8075C2E718B7BCBFC76625AA60D03
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\Binaries\RtkBtManServ.exeexecutable
MD5:88AB0BB59B0B20816A833BA91C1606D3
SHA256:F4FB42C8312A6002A8783E2A1AB4571EB89E92CD192B1A21E8C4582205C37312
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Confuser.Renamer.dllexecutable
MD5:E1656B7BFD3B7C9634F72C4F9085D226
SHA256:4CE9A9F15724B17DA414C4AAD7B7BFBBA0FD1B80E3D0B8452551D5F79FD32B50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2016
OPIUMVNEP.EXE
GET
200
52.217.8.110:80
http://setup.roblox.com/version
US
text
24 b
shared
4056
OPIUMVNEP.EXE
GET
200
52.217.163.8:80
http://setup.roblox.com/version
US
text
24 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2016
OPIUMVNEP.EXE
52.217.8.110:80
setup.roblox.com
Amazon.com, Inc.
US
shared
2996
WerFault.exe
104.208.16.93:443
watson.microsoft.com
Microsoft Corporation
US
suspicious
3364
WerFault.exe
52.168.117.173:443
watson.microsoft.com
Microsoft Corporation
US
suspicious
4056
OPIUMVNEP.EXE
52.217.163.8:80
setup.roblox.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
setup.roblox.com
  • 52.217.8.110
  • 52.217.163.8
shared
watson.microsoft.com
  • 52.168.117.173
  • 104.208.16.93
whitelisted

Threats

No threats detected
Process
Message
OpiumV4.exe
C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE
OpiumV4.exe
C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE
OpiumV4.exe
C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE
OpiumV4.exe
C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE