analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C:\Users\admin\Documents\Intertainment\Games Softwares\Sony.zip

Full analysis: https://app.any.run/tasks/84002b0a-2975-4522-9397-c7f084188836
Verdict: Malicious activity
Analysis date: July 17, 2019, 21:50:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CF8F8CF4C6AFD9AF4724ADB695B5DF8A

SHA1:

6624F6BE781DCF47DA111DD43F9B32B060BD2E23

SHA256:

37269B0D8A1CE058A46E74ECB607DD973A40E6D9AC158C4C9AC76B933C14260C

SSDEEP:

196608:4yXrr8HdBjkcB9uCRFKIvnS46urXBccD1vPTR8rSFY6Saw1u6mJTGEcfRj2YRc:PrqEc7bRFKL4vrewkn9gbuRW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Sony.scr (PID: 3216)
      • NXOBPDXH.scr (PID: 2488)
      • Sony.scr (PID: 3952)
      • NXOBPDXH.scr (PID: 3012)
      • AKIQHJAGOGQY.scr (PID: 2168)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1048)
      • Sony.scr (PID: 3952)
      • NXOBPDXH.scr (PID: 2488)
      • NXOBPDXH.scr (PID: 3012)
      • AKIQHJAGOGQY.scr (PID: 2168)
    • Writes to a start menu file

      • NXOBPDXH.scr (PID: 2488)
      • AKIQHJAGOGQY.scr (PID: 2168)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1484)
      • Sony.scr (PID: 3952)
      • NXOBPDXH.scr (PID: 3012)
    • Starts application with an unusual extension

      • WinRAR.exe (PID: 1484)
      • Sony.scr (PID: 3952)
      • cmd.exe (PID: 3604)
      • NXOBPDXH.scr (PID: 3012)
    • Creates files in the user directory

      • NXOBPDXH.scr (PID: 2488)
      • AKIQHJAGOGQY.scr (PID: 2168)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2324)
    • Starts itself from another location

      • NXOBPDXH.scr (PID: 3012)
  • INFO

    • Manual execution by user

      • Sony.scr (PID: 3952)
      • WScript.exe (PID: 2324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: experience.dll
ZipUncompressedSize: 16903557
ZipCompressedSize: 2871276
ZipCRC: 0xe5438896
ZipModifyDate: 2019:07:16 22:41:10
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe sony.scr no specs searchprotocolhost.exe no specs sony.scr nxobpdxh.scr wscript.exe no specs cmd.exe no specs nxobpdxh.scr akiqhjagogqy.scr

Process information

PID
CMD
Path
Indicators
Parent process
1484"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Sony.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3216"C:\Users\admin\AppData\Local\Temp\Rar$DIa1484.29039\Sony.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa1484.29039\Sony.scrWinRAR.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
steamerrorreporter.exe
Exit code:
3221225781
Version:
05.17.44.02
1048"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3952"C:\Users\admin\Desktop\Sony.scr" /SC:\Users\admin\Desktop\Sony.scr
explorer.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
steamerrorreporter.exe
Exit code:
0
Version:
05.17.44.02
2488C:\Users\admin\Desktop\NXOBPDXH.scrC:\Users\admin\Desktop\NXOBPDXH.scr
Sony.scr
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
steamerrorreporter.exe
Version:
05.17.44.02
2324"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HLLRPMTT.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3604"C:\Windows\System32\cmd.exe" /k c: & cd C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup & del *.vbs & cd C:\Users\admin\Desktop\ & NXOBPDXH.scrC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3012NXOBPDXH.scrC:\Users\admin\Desktop\NXOBPDXH.scr
cmd.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
steamerrorreporter.exe
Exit code:
0
Version:
05.17.44.02
2168C:\Users\admin\Desktop\AKIQHJAGOGQY.scrC:\Users\admin\Desktop\AKIQHJAGOGQY.scr
NXOBPDXH.scr
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
steamerrorreporter.exe
Exit code:
0
Version:
05.17.44.02
Total events
560
Read events
540
Write events
20
Delete events
0

Modification events

(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1484) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Sony.zip
(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1484) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:@shell32,-10162
Value:
Screen saver
(PID) Process:(1484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.29950\experience.dll
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.29950\Sony.scr
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.29950\tier0_s.dll
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.29950\vstdlib_s.dll
MD5:
SHA256:
3012NXOBPDXH.scrC:\Users\admin\Desktop\USER-PC.mp3
MD5:
SHA256:
3952Sony.scrC:\Users\admin\Desktop\USER-PC.mp3text
MD5:67E6920FE1066B6946CFB082CE9AE195
SHA256:E18A2DA963045FCEC2C5C4C67E46919CF42D1091A9FDACF6846D9CAE3AD13918
3012NXOBPDXH.scrC:\Users\admin\Desktop\AKIQHJAGOGQY.screxecutable
MD5:A1A14423E075CBE5FE90F836B0ED1872
SHA256:118442CE842D9D89D42073C9DEDCCA697ADCE814D9EAB66DBB0BE3D1E8BF5FB9
2488NXOBPDXH.scrC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HLLRPMTT.vbstext
MD5:D5214DCDAF86A0C501656AF9B4B60898
SHA256:54585D848DF57801AC37FDB0AD83F487667BB88E0D52527F46E82A32260F7C5C
2168AKIQHJAGOGQY.scrC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CQSDVSSD.vbstext
MD5:E7350CB4D8441F91296AB15EB228EABC
SHA256:674E5B144D2655A7A4A405437004BA680909F8A5AE12CA17BD5C1567B7743AF3
3952Sony.scrC:\Users\admin\Desktop\NXOBPDXH.screxecutable
MD5:A1A14423E075CBE5FE90F836B0ED1872
SHA256:118442CE842D9D89D42073C9DEDCCA697ADCE814D9EAB66DBB0BE3D1E8BF5FB9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info