analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d473b802-eb5f-11e7-8ccc-5944bc969a40

Full analysis: https://app.any.run/tasks/2eefce09-516e-416b-8949-f6cd51d5638d
Verdict: Malicious activity
Analysis date: October 05, 2022, 05:21:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C26A2C5F6154225E8D83C4000306F162

SHA1:

67C586CEDBF0852AA52268311841CBAC5C96FDF8

SHA256:

35A9481DDBED5177431A9EA4BD09468FE987797D7B1231D64942D17EB54EC269

SSDEEP:

49152:cPEbpqUPr0OMPjmNgyV24OXxr2/NV0CA7QUmu4LnB:cPEbpPPrC4gWFOBr4Wfg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • RDPWInst.exe (PID: 3384)
      • RDPWInst.exe (PID: 2576)
      • RDPConf.exe (PID: 2408)
      • RDPWInst.exe (PID: 2800)
      • RDPConf.exe (PID: 3640)
      • RDPCheck.exe (PID: 3360)
      • RDPCheck.exe (PID: 3304)

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 2496)
      • spoolsv.exe (PID: 896)

  • SUSPICIOUS

    • Application launched itself

      • ie4uinit.exe (PID: 4088)
      • chrmstp.exe (PID: 1432)
      • rundll32.exe (PID: 2648)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
41
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs explorer.exe no specs winrar.exe no specs cmd.exe no specs rdpwinst.exe no specs rdpwinst.exe no specs rdpwinst.exe svchost.exe netsh.exe no specs drvinst.exe no specs rdpconf.exe no specs rdpconf.exe explorer.exe no specs rdpcheck.exe no specs rdpcheck.exe rundll32.exe no specs taskhost.exe no specs tstheme.exe no specs rdpclip.exe no specs sipnotify.exe ie4uinit.exe no specs ie4uinit.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs ie4uinit.exe no specs unregmp2.exe no specs ie4uinit.exe no specs regsvr32.exe no specs chrmstp.exe no specs chrmstp.exe no specs imeklmg.exe no specs imeklmg.exe no specs jusched.exe no specs imkrmig.exe no specs spoolsv.exe no specs eosnotify.exe no specs verclsid.exe no specs wmic.exe no specs tstheme.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\AppData\Roaming\d473b802-eb5f-11e7-8ccc-5944bc969a40.xpi"C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3808"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3576"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Roaming\d473b802-eb5f-11e7-8ccc-5944bc969a40.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1340C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\install.bat" "C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2576"C:\Users\admin\Desktop\RDPWInst" -i -oC:\Users\admin\Desktop\RDPWInst.execmd.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
RDP Wrapper Library Installer
Exit code:
3221226540
Version:
2.5.0.0
3384"C:\Users\admin\Desktop\RDPWInst.exe" -i -oC:\Users\admin\Desktop\RDPWInst.execmd.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
RDP Wrapper Library Installer
Exit code:
3221226540
Version:
2.5.0.0
2800"C:\Users\admin\Desktop\RDPWInst.exe" -i -oC:\Users\admin\Desktop\RDPWInst.exe
cmd.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
HIGH
Description:
RDP Wrapper Library Installer
Exit code:
0
Version:
2.5.0.0
2496C:\Windows\System32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2524netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allowC:\Windows\system32\netsh.exeRDPWInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2600DrvInst.exe "1" "200" "UMB\UMB\1&841921d&0&TERMINPUT_BUS" "" "" "6e3bed883" "00000000" "000003B8" "00000400"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
17 293
Read events
15 832
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
21
Text files
76
Unknown types
119

Dropped files

PID
Process
Filename
Type
2496svchost.exeC:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
MD5:
SHA256:
2496svchost.exeC:\Windows\system32\CatRoot2\edb.chkbinary
MD5:939C57F136DE908E789BB88847609EBF
SHA256:9E84D625709F7B0E3B37625B17A03E8408BF2C6FD8113F88A07E0004A23A49F7
2496svchost.exeC:\Windows\system32\CatRoot2\edb.logbinary
MD5:6F082DC727F3024B04017D2728D064C7
SHA256:C3DE634CBED101225759505ABFA24DC7C3E649FEE46F07AB54E5B1F1E6476E7A
2600DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:513DE822DB8FC992461C8C85211C9B28
SHA256:A6C7D744A7A3D97E5C84E40525278EDBB718E2AAAF958A7173ABFF2C035EEAC8
2600DrvInst.exeC:\Windows\INF\setupapi.ev2binary
MD5:E40A0CC8FB5B9375DB0606400586E0F8
SHA256:9558168F193C3C3DAF1A4557A539D203D99542360F893E41ED8ADB1BAEADCF8B
2496svchost.exeC:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdbedb
MD5:DB16B73848597CE4E48C1C9A1E9EA39B
SHA256:451AE86FB4B4330B5E393B889177F81FCA16AEAF88A17C43D72DFFE7B4145DD5
896spoolsv.exeC:\Windows\System32\DriverStore\FileRepository\prnle003.inf_x86_neutral_a8106f7f3af21d88\prnle003.PNFpnf
MD5:3620D34CD2C5C747D4E4F712DAE7A658
SHA256:D629C90481E1D69E26B69A3B39224D237CAA2E43A4B1E2F23A334912EF8EAD55
896spoolsv.exeC:\Windows\System32\DriverStore\FileRepository\faxcn002.inf_x86_neutral_29a66691dd7a46a5\faxcn002.PNFpnf
MD5:29B8A4A10F2952E89E1F7CA2A5B2DDE1
SHA256:F0547FA5CE3EA243A02E5C17F166984F9E7D3CC7E42EA02B3B80540BB8F003D4
2600DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:B3A5D9AC6211BAF643A7C6417B8A1AD3
SHA256:BDBB32228A51C3352F71B6F721A81332E5C2DE17AA8329FBE39745C411E958CF
896spoolsv.exeC:\Windows\System32\DriverStore\FileRepository\prnge001.inf_x86_neutral_51cbe14e4cdde8c2\prnge001.PNFpnf
MD5:AD6F4CF762E9EE7D6E68605B6DB1DB9D
SHA256:4E1F8780DDD35D642CDE8E33C56545FB7ECA8929EC13915743987323CB1B9E22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2724
sipnotify.exe
HEAD
404
23.205.225.13:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133094245573670000
NL
whitelisted
2800
RDPWInst.exe
GET
404
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?db2ef270b67036c9
US
xml
341 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
RDPWInst.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
malicious
2724
sipnotify.exe
23.205.225.13:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
DE
unknown
2800
RDPWInst.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
query.prod.cms.rt.microsoft.com
  • 23.205.225.13
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d473b802-eb5f-11e7-8ccc-5944bc969a40