File name:

DTPGIH_IT001_2024-05-16_11_23_45.036.zip

Full analysis: https://app.any.run/tasks/441d5802-fef1-44c3-9a06-ff2075b896d0
Verdict: Malicious activity
Analysis date: May 16, 2024, 11:25:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

B298691A76C568DAE667F9734183A758

SHA1:

2E9EBD0C9BB3BE258CBD9906DA6C28418FFB3F66

SHA256:

35B45A9A197C8EDF9F76581BB232122BB72188B3C21B1844422502F68DAE5DDC

SSDEEP:

98304:giCqDfohyLa5suZH29wXRb6duP24ixVVLqwp9JhGDTLDdrGRgR2Tz3aX/5T33V0q:ZUYvrgmaJ0a3Gk0LBQJ39msaM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • winzip155.exe (PID: 4008)
      • msiexec.exe (PID: 820)
      • kss_installer.exe (PID: 2952)

    • Unusual connection from system programs

      • rundll32.exe (PID: 4028)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3964)
      • WINZIP32.EXE (PID: 2832)
      • Setup.exe (PID: 4020)

    • Executable content was dropped or overwritten

      • winzip155.exe (PID: 4008)
      • kss_installer.exe (PID: 2952)

    • Reads the Internet Settings

      • rundll32.exe (PID: 4028)
      • Setup.exe (PID: 4020)
      • WINZIP32.EXE (PID: 2832)

    • Searches for installed software

      • Setup.exe (PID: 4020)
      • WINZIP32.EXE (PID: 1848)
      • WINZIP32.EXE (PID: 2832)

    • Uses RUNDLL32.EXE to load library

      • Setup.exe (PID: 4020)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 820)

    • Executes as Windows Service

      • VSSVC.exe (PID: 524)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 820)

    • Creates a software uninstall entry

      • WINZIP32.EXE (PID: 1848)

    • Creates/Modifies COM task schedule object

      • WINZIP32.EXE (PID: 1848)
      • msiexec.exe (PID: 2780)
      • msiexec.exe (PID: 2748)
      • msiexec.exe (PID: 1008)

    • Changes default file association

      • msiexec.exe (PID: 820)

    • Drops 7-zip archiver for unpacking

      • msiexec.exe (PID: 820)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 820)

  • INFO

    • Create files in a temporary directory

      • winzip155.exe (PID: 4008)
      • msiexec.exe (PID: 820)
      • WINZIP32.EXE (PID: 1848)
      • WINZIP32.EXE (PID: 2832)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3964)
      • msiexec.exe (PID: 4088)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3964)
      • msiexec.exe (PID: 4088)
      • msiexec.exe (PID: 820)

    • Checks supported languages

      • winzip155.exe (PID: 4008)
      • Setup.exe (PID: 4020)
      • msiexec.exe (PID: 820)
      • msiexec.exe (PID: 2032)
      • msiexec.exe (PID: 1936)
      • WINZIP32.EXE (PID: 1848)
      • WzPreviewer32.exe (PID: 2432)
      • msiexec.exe (PID: 1008)
      • WINZIP32.EXE (PID: 2832)

    • Checks proxy server information

      • rundll32.exe (PID: 4028)
      • WINZIP32.EXE (PID: 2832)

    • Reads the software policy settings

      • msiexec.exe (PID: 4088)
      • msiexec.exe (PID: 820)

    • Reads the computer name

      • msiexec.exe (PID: 820)
      • msiexec.exe (PID: 2032)
      • msiexec.exe (PID: 1936)
      • WINZIP32.EXE (PID: 1848)
      • msiexec.exe (PID: 1008)
      • WINZIP32.EXE (PID: 2832)
      • Setup.exe (PID: 4020)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4088)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 820)
      • msiexec.exe (PID: 1936)
      • msiexec.exe (PID: 2032)
      • msiexec.exe (PID: 1008)
      • WINZIP32.EXE (PID: 1848)
      • WINZIP32.EXE (PID: 2832)

    • Application launched itself

      • msiexec.exe (PID: 820)
      • msedge.exe (PID: 3296)

    • Creates files or folders in the user directory

      • WINZIP32.EXE (PID: 1848)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 820)

    • Creates files in the program directory

      • WINZIP32.EXE (PID: 2832)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3496)
      • WINZIP32.EXE (PID: 2588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0801
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0xb33279b4
ZipCompressedSize: 16726806
ZipUncompressedSize: 16876872
ZipFileName: Device/HarddiskVolume7/GIH OLD IMP DATA/Emp Files/Risk-management pc data/a.kadam.GIH-KU/Desktop/Nandkumar Work/Operational Risk Project/Operational Risk Plan/winzip155.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
32
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe winzip155.exe setup.exe no specs rundll32.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe no specs winzip32.exe no specs wzpreviewer32.exe no specs msiexec.exe no specs msiexec.exe no specs winzip32.exe no specs wzglinst32.exe kss_installer.exe msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winzip32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1368,i,14686994655101018875,7757822482663144196,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
524C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
820C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1008C:\Windows\system32\MsiExec.exe -Embedding 46D3DB4EDFA88147643463DD85F4CFA0 E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1108"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3404 --field-trial-handle=1368,i,14686994655101018875,7757822482663144196,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
1440"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1368,i,14686994655101018875,7757822482663144196,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
1472"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1604 --field-trial-handle=1368,i,14686994655101018875,7757822482663144196,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
1804"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3620 --field-trial-handle=1368,i,14686994655101018875,7757822482663144196,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
1848"C:\Program Files\WinZip\WINZIP32.EXE" /msiinstall /lang 1033C:\Program Files\WinZip\WINZIP32.EXEmsiexec.exe
User:
admin
Company:
WinZip Computing, S.L.
Integrity Level:
MEDIUM
Description:
WinZip
Exit code:
0
Version:
26.0 (32-bit)
Modules
Images
c:\program files\winzip\winzip32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1936C:\Windows\system32\MsiExec.exe -Embedding 15F812172417007D74A35C485943D73CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
22 738
Read events
21 863
Write events
844
Delete events
31

Modification events

(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DTPGIH_IT001_2024-05-16_11_23_45.036.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
119
Suspicious files
96
Text files
94
Unknown types
4

Dropped files

PID
Process
Filename
Type
4008winzip155.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\WINZIP155.MSI
MD5:
SHA256:
4088msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF6A9.tmp
MD5:
SHA256:
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3964.9354\Device\HarddiskVolume7\GIH OLD IMP DATA\Emp Files\Risk-management pc data\a.kadam.GIH-KU\Desktop\Nandkumar Work\Operational Risk Project\Operational Risk Plan\winzip155.exeexecutable
MD5:29A70116519CE6679F042B16CF8C6D96
SHA256:6730453D3A6F1DEBF0738A7D0DFAF6403F6432A7C09B4828670DAB7DBD74175E
4008winzip155.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GCHR10.EXEexecutable
MD5:E82600B9A67D2781F2AE08620F64753C
SHA256:20C53759C8D842B4231BE0B62B9D467684080E013DF64679C55EFDF4161977DC
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3964.9354\manifest.jsonini
MD5:A6EA6FBF8C5DCBF00830392164A44D72
SHA256:FC4FA5701A03F3D3F607E53D7A700FFB0F5BFAD2D44C919453C497B9A54F3C55
820msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{929b419c-0cd5-48f7-8193-e358f611a20d}_OnDiskSnapshotProp
MD5:
SHA256:
820msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
820msiexec.exeC:\Windows\Installer\1155ed.msi
MD5:
SHA256:
4088msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIFFF2.tmpexecutable
MD5:550568F943B59AC61987C6218257A554
SHA256:A60178D8307512A43E37AF9380AF3550673C8A13C9D5AB495BE90539E85FC3C4
4008winzip155.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\Setup.exeexecutable
MD5:6DEB88E95BCC07B5FB3065639D7546C4
SHA256:672D12F2DCD619253B838DB533166645711A5005DAD0C5E64A14B2E1D638BE46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
104.110.2.116:80
http://www.winzip.com/instcmplt.cgi?pid=WNZP&ver=15.5.9468.0&lang=EN&vid=nkln&3pa=kss%3A1&ofr=ggle%3A14%2Cgchr%3A6%2Ccan%%3A9&bm=0
unknown
unknown
GET
200
54.86.102.86:80
http://update.winzip.com/ipm.cgi?pid=WNZP&lang=EN&dy=0&du=1&ct=0&ver=25.0.9468.0&vid=nkln&win=418x240&nid=
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4028
rundll32.exe
49.13.77.253:80
api.opencandy.com
Hetzner Online GmbH
DE
unknown
54.86.102.86:80
update.winzip.com
AMAZON-AES
US
unknown
49.13.77.253:80
api.opencandy.com
Hetzner Online GmbH
DE
unknown
239.255.255.250:1900
unknown
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.110.2.116:80
www.winzip.com
AKAMAI-AS
NO
unknown

DNS requests

Domain
IP
Reputation
api.opencandy.com
  • 49.13.77.253
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
update.winzip.com
  • 54.86.102.86
  • 54.82.2.143
  • 18.204.159.130
  • 44.216.66.218
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.winzip.com
  • 104.110.2.116
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
www.bing.com
  • 2.16.101.91
  • 2.16.101.106
  • 2.16.101.88
  • 2.16.101.99
  • 2.16.101.97
  • 2.16.101.83
  • 2.16.101.107
  • 2.16.101.98
  • 2.16.101.104
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
cdn.optimizely.com
  • 95.101.196.147
whitelisted
www.googletagmanager.com
  • 142.250.185.72
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DTPGIH_IT001_2024-05-16_11_23_45.036.zip