analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

setup_wnysxz001.exe

Full analysis: https://app.any.run/tasks/b2cb55a1-ffa8-4d86-ba4a-f0e2e85cbe36
Verdict: Malicious activity
Analysis date: July 18, 2019, 07:07:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pup
pua
softcnapp
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7457A920304FAA494F748A540B00D2EC

SHA1:

CAA2F6D97024D8B2FFFEFE9AFF23871C355C9B0B

SHA256:

38CEB3D10AD9C92F6FE0BBFB538996B05EE47E4FEBC856AFEB61C03834F325BD

SSDEEP:

196608:SIZMZi34TFJNUWov4W+jG1NAMdzbqWDpJV073/CMKhP6uDkm9Hts3y4:jvyHNUTv4zeNAMdzbqWDpP0rCMxmkQi5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • WnZipPower32.exe (PID: 1456)
      • WnZipUtility.exe (PID: 2232)
      • WnZipPower32.exe (PID: 2848)
      • WnZipVirtualCD.exe (PID: 1528)
      • WnZipService.exe (PID: 4072)
      • WnZipUtility.exe (PID: 3664)
      • TimeHelp.exe (PID: 3064)
      • WnZipUtility.exe (PID: 2928)
      • WnZip.exe (PID: 3756)
      • WnZipUtility.exe (PID: 2848)
      • WnZipUtility.exe (PID: 1848)
      • WnZipUtility.exe (PID: 3752)
      • WnZipFileManager.exe (PID: 3708)
      • WnZipTool.exe (PID: 1824)
      • WnZipUtility.exe (PID: 3448)

    • Loads dropped or rewritten executable

      • WnZipPower32.exe (PID: 2848)
      • WnZipFileManager.exe (PID: 3708)

    • SOFTCNAPP was detected

      • WnZipUtility.exe (PID: 2928)
      • WnZipUtility.exe (PID: 3752)
      • WnZipTool.exe (PID: 1824)

  • SUSPICIOUS

    • Creates files in the program directory

      • setup_wnysxz001.exe (PID: 3000)
      • WnZipUtility.exe (PID: 2232)
      • WnZipFileManager.exe (PID: 3708)

    • Uses TASKKILL.EXE to kill process

      • setup_wnysxz001.exe (PID: 3000)

    • Executable content was dropped or overwritten

      • setup_wnysxz001.exe (PID: 3000)
      • WnZipVirtualCD.exe (PID: 1528)

    • Creates files in the driver directory

      • WnZipVirtualCD.exe (PID: 1528)

    • Creates files in the Windows directory

      • WnZipVirtualCD.exe (PID: 1528)

    • Creates a software uninstall entry

      • WnZipUtility.exe (PID: 2232)

    • Creates COM task schedule object

      • WnZipPower32.exe (PID: 2848)

    • Executed as Windows Service

      • WnZipService.exe (PID: 4072)

    • Application launched itself

      • WnZipUtility.exe (PID: 2928)

    • Modifies the open verb of a shell class

      • WnZipUtility.exe (PID: 1848)
      • WnZipUtility.exe (PID: 2232)

  • INFO

    • Manual execution by user

      • WnZip.exe (PID: 3756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:06:27 09:28:08+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 1577984
InitializedDataSize: 8332800
UninitializedDataSize: -
EntryPoint: 0x40ebd
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.9.19627
ProductVersionNumber: 1.3.9.19627
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: 万能压缩
FileDescription: 万能压缩
FileVersion: 1.3.9.19627
InternalName: 万能压缩
LegalCopyright: Copyright (C) 2019
OriginalFileName: Install.exe
ProductName: 万能压缩
ProductVersion: 1,3,9,19627

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Jun-2019 07:28:08
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • G:\svn\YaSuo\ChengXu\Tags\wntag_1.3.9.19627\Bundles\WanNengZip\Temp\Release\Install.pdb
CompanyName: 万能压缩
FileDescription: 万能压缩
FileVersion: 1.3.9.19627
InternalName: 万能压缩
LegalCopyright: Copyright (C) 2019
OriginalFilename: Install.exe
ProductName: 万能压缩
ProductVersion: 1,3,9,19627

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000148

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 27-Jun-2019 07:28:08
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00181363
0x00181400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.64637
.rdata
0x00183000
0x0006944C
0x00069600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.64652
.data
0x001ED000
0x0001245C
0x0000B400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.23462
.gfids
0x00200000
0x000001B4
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.51026
.tls
0x00201000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00202000
0x00768DE4
0x00768E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.97354
.reloc
0x0096B000
0x000149FC
0x00014A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.58115

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.41141
1260
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.53107
67624
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
5.88889
38056
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
5.67784
16936
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
5.94895
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
5.93778
5512
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
6.16633
2440
Latin 1 / Western European
Chinese - PRC
RT_ICON
8
6.07871
1720
Latin 1 / Western European
Chinese - PRC
RT_ICON
9
6.0888
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
101
3.09794
132
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
22
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start setup_wnysxz001.exe no specs setup_wnysxz001.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs wnziputility.exe wnzippower32.exe wnzipvirtualcd.exe wnzippower32.exe no specs wnzipservice.exe wnzip.exe timehelp.exe #SOFTCNAPP wnziputility.exe wnziputility.exe wnzipfilemanager.exe wnziputility.exe #SOFTCNAPP wnziputility.exe wnziputility.exe wnziputility.exe #SOFTCNAPP wnziptool.exe

Process information

PID
CMD
Path
Indicators
Parent process
2164"C:\Users\admin\Downloads\setup_wnysxz001.exe" C:\Users\admin\Downloads\setup_wnysxz001.exeexplorer.exe
User:
admin
Company:
万能压缩
Integrity Level:
MEDIUM
Description:
万能压缩
Exit code:
3221226540
Version:
1.3.9.19627
3000"C:\Users\admin\Downloads\setup_wnysxz001.exe" C:\Users\admin\Downloads\setup_wnysxz001.exe
explorer.exe
User:
admin
Company:
万能压缩
Integrity Level:
HIGH
Description:
万能压缩
Exit code:
0
Version:
1.3.9.19627
3476taskkill /f /im WnZipConfigd.exeC:\Windows\system32\taskkill.exesetup_wnysxz001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524taskkill /f /im WnZipService.exeC:\Windows\system32\taskkill.exesetup_wnysxz001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3620taskkill /f /im WnZipTool.exeC:\Windows\system32\taskkill.exesetup_wnysxz001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3672taskkill /f /im WnZipUtility.exeC:\Windows\system32\taskkill.exesetup_wnysxz001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3928taskkill /f /im WnZipUninst.exeC:\Windows\system32\taskkill.exesetup_wnysxz001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2232"C:\Program Files\WanNengZip\WnZipUtility.exe" InstallSpreadOperate --NewClientID wnysxz001****** --InstallSilent falseC:\Program Files\WanNengZip\WnZipUtility.exe
setup_wnysxz001.exe
User:
admin
Company:
万能压缩
Integrity Level:
HIGH
Description:
万能压缩
Version:
1.3.9.19627
1456"C:\Program Files\WanNengZip\WnZipPower32.exe" RegCMC:\Program Files\WanNengZip\WnZipPower32.exe
WnZipUtility.exe
User:
admin
Company:
万能压缩
Integrity Level:
HIGH
Description:
万能压缩
Exit code:
1
Version:
1.3.9.19627
1528"C:\Program Files\WanNengZip\WnZipVirtualCD.exe" /installC:\Program Files\WanNengZip\WnZipVirtualCD.exe
WnZipUtility.exe
User:
admin
Company:
www.wn51.com
Integrity Level:
HIGH
Description:
虚拟光盘
Exit code:
0
Version:
1.0.0.11031
Total events
2 096
Read events
412
Write events
0
Delete events
0

Modification events

No data
Executable files
26
Suspicious files
1
Text files
84
Unknown types
5

Dropped files

PID
Process
Filename
Type
3000setup_wnysxz001.exeC:\Users\admin\AppData\Local\Temp\WanNengZip-98075-7zData.7z
MD5:
SHA256:
3000setup_wnysxz001.exeC:\Users\admin\AppData\LocalLow\WanNengZip\Config\UseVestige.initext
MD5:D54460AE7869E8C1D2174BE5912D1CCD
SHA256:4716F70C27D4625A3DF565B6A339E391F7D97BBF7D1F73AAD4CB60FAD49208BA
3000setup_wnysxz001.exeC:\Program Files\WanNengZip\Setting\AlgorithmConfig.xmlxml
MD5:D3517B07CFF8652912B5DBD5B10C22AB
SHA256:2634C31C0AB0717E8A40FA62F9538A57BCB1065F5A65B44BF07F76A2138F7F62
3000setup_wnysxz001.exeC:\Program Files\WanNengZip\WnZipUninst.exeexecutable
MD5:6F75FCE6E13B1F3B1EB670644E200824
SHA256:0A84FA1D5D3DC6497169E88C5B2430EBA4BCED91635AA7750203D45ED5B19976
3000setup_wnysxz001.exeC:\Program Files\WanNengZip\Setting\FilterConfig.xmlxml
MD5:47B7A11DF71A074AE38BC52DA976401F
SHA256:5645B2234B8BF80D6568661D49497E1FE3D6F976580F7C8399DBE04469DCDC6E
3000setup_wnysxz001.exeC:\Program Files\WanNengZip\Lang\zh-cn.txttext
MD5:F651D44C7EDD6A12F09FDFCE81F75516
SHA256:0A4C2424D9349091E8B97FDDFABBBD6C633CE4B9E12DEE35EB61FF8106B41E37
3000setup_wnysxz001.exeC:\Program Files\WanNengZip\WnZipPower64.exeexecutable
MD5:8C5228046178F226B0A39E15A765DC0F
SHA256:4CA7C8AF3BFFB8F17B66691D91F7D0AAA1AB03649FF3F76F572210355266006E
3000setup_wnysxz001.exeC:\Program Files\WanNengZip\WanNengZip.initext
MD5:6055D30CD9B5E1D28283BB5D3AED7B02
SHA256:D61BF517DAA0C86D82EF0B6D9C9F06B2F5AA68E400C5CAD61B08996A2D4D9E3E
3000setup_wnysxz001.exeC:\Program Files\Common Files\WanNengZip\WanNengZip.initext
MD5:FEB5D4D79183A8754DB976370BE2B639
SHA256:0E2A61040D648D29B102DFAB3A1358D5305DD221BB20E72642816A178EF148F9
3000setup_wnysxz001.exeC:\Program Files\WanNengZip\TimeHelp.exeexecutable
MD5:E4B39A550587CFB20607B76C8FD5D335
SHA256:BBBC57648575768BB3FBB57A5C54D3C1320A91E1AEC4D2577F5E13E1B029D1B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
11
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2232
WnZipUtility.exe
GET
117.50.93.3:80
http://tjtv3.wn51.com/fdot.php?data=Nzg1OTQ3NTQ1ODU3MzA3MTIwMDMyNDcxMjQ2OTYxNjQ2NzE5MTk1MjQyMzMxOTAwMTgzMzE5NzEzNTYxMDMxMTAyNTgzNzA4NjczNDYyNDI2MzUyNDE0NjY1NTMwNDQzMDcxMjcxMDIxMTEyNTUzMTE1NjYyNjQ0MDczNTM3NTI2NTIyNzExMDE1NTgxMjE0MzUwMDY4MjIyNjE0MTE0MDIwNjczNTUxMjA2NzM1MDMyMDE2MjI3MDY3NDczOTYzNDMzNzIwNTk1MTMwNDk3MQ%3D%3D
CN
malicious
3000
setup_wnysxz001.exe
GET
120.132.61.186:80
http://tjv1.wn51.com/statistics/timestamp
CN
malicious
3664
WnZipUtility.exe
GET
117.50.93.3:80
http://proup.wn51.com/proup.php?data=NTMyMzUxMDQwNDYyMjI1NzA0NDEyNDU3MjE1ODIyNTYyMTM3MjMwMDIxNjIwMjI5MjEzNjAzMzcyMTM2MDQzNjIxMzcyMDY0MDQzNzIyNDgyMTQyMjQxNzYwNDIyOTAzMDYxNzAyNjU0NjM3MDY2NTA3NDgzODM4NzEyNDI5MDA0NDM2MjE2NTIxNTk1NjQ5NjM0NzM0NjUzMTQ3MDQ1NjMxMzYyNDI1MjE0NjIzNDkyMTQyNzEwMDYwMjQ2ODQ3MzM1ODQ5MjkzMjA4MzQ0MTA0MjUyODM3Njg2NzcwMjk2NTA5MzIyODY2Mjc0MzI4MjkyMjMyNjgzNzMzMzU1NA%3D%3D
CN
malicious
2848
WnZipUtility.exe
GET
117.50.93.3:80
http://proup.wn51.com/proup.php?data=MzUyMTc2NTE2NjYzNjcwODY2NDk1MTA4Njg0ODY3MjQ2ODM0NTk0NTY4NjM2MTQyNjgzOTY5MzQ2ODM5NjYzOTY4MzQ2MDQ3NjYzNDY3MTI2ODU3NTExNjY0NTc0MjY5NTAxNjYxMDI1NDM0NTAwMjA0MTIyMjIyMTE1MTQyNDU3MDM5NjgwMjY4NTYyNDI4NTU0NjE1MDIxOTQ2NjYyNDE5Mzk1MTQzNjg1NDU5Mjg2ODU3MTE0NTY0NTEzODQ2MDM0ODI4NDIwNzIwMTU0OTY2NDMzMDQyMDI3MDAwMzAxODY3MDAzODAyMjY0MDI5
CN
malicious
3752
WnZipUtility.exe
GET
200
163.171.140.206:80
http://d.wn51.com/yasuo/yp/yp.dat
US
binary
481 b
malicious
3064
TimeHelp.exe
GET
404
163.171.140.206:80
http://d.wn51.com/yasuo/cld/po.dat?rand=7011
US
text
41 b
malicious
2928
WnZipUtility.exe
GET
117.50.93.3:80
http://tjtv3.wn51.com/ts.php?data=NGI0NzA0MWI4MmExMGFkMjJmMjNjMmQyNmI1MDA2ODkJV2FuTmVuZ1ppcAkxLjMuMS45CXdueXN4ejAwMTE5MDcxOAlMb25nU3ByaXRlCTEJMA%3D%3D
CN
malicious
3448
WnZipUtility.exe
GET
106.75.114.162:80
http://tjv5.wn51.com/statistics/timestamp
CN
malicious
1824
WnZipTool.exe
GET
200
163.171.140.206:80
http://d.wn51.com/yasuo/cld/tt.dat?rand=10253
US
binary
326 b
malicious
2928
WnZipUtility.exe
GET
200
163.171.140.206:80
http://d.wn51.com/yasuo/cld/st.dat
US
binary
597 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
setup_wnysxz001.exe
120.132.61.186:80
tjv1.wn51.com
China Unicom Beijing Province Network
CN
malicious
3064
TimeHelp.exe
163.171.140.206:80
d.wn51.com
US
malicious
2848
WnZipUtility.exe
117.50.93.3:80
tjtv3.wn51.com
IDC, China Telecommunications Corporation
CN
malicious
3752
WnZipUtility.exe
163.171.140.206:80
d.wn51.com
US
malicious
2232
WnZipUtility.exe
117.50.93.3:80
tjtv3.wn51.com
IDC, China Telecommunications Corporation
CN
malicious
3664
WnZipUtility.exe
117.50.93.3:80
tjtv3.wn51.com
IDC, China Telecommunications Corporation
CN
malicious
2928
WnZipUtility.exe
163.171.140.206:80
d.wn51.com
US
malicious
2928
WnZipUtility.exe
117.50.93.3:80
tjtv3.wn51.com
IDC, China Telecommunications Corporation
CN
malicious
1824
WnZipTool.exe
163.171.140.206:80
d.wn51.com
US
malicious
1824
WnZipTool.exe
117.50.93.3:80
tjtv3.wn51.com
IDC, China Telecommunications Corporation
CN
malicious

DNS requests

Domain
IP
Reputation
tjv1.wn51.com
  • 120.132.61.186
malicious
config.wn51.com
suspicious
tjtv3.wn51.com
  • 117.50.93.3
unknown
d.wn51.com
  • 163.171.140.206
malicious
proup.wn51.com
  • 117.50.93.3
malicious
tjv5.wn51.com
  • 106.75.114.162
malicious

Threats

PID
Process
Class
Message
3752
WnZipUtility.exe
Misc activity
ADWARE [PTsecurity] Softcnapp.J PUP
3752
WnZipUtility.exe
Misc activity
ADWARE [PTsecurity] PUA.Softcnapp payload
2928
WnZipUtility.exe
Misc activity
ADWARE [PTsecurity] PUA.Softcnapp payload
1824
WnZipTool.exe
Misc activity
ADWARE [PTsecurity] PUA.Softcnapp payload
Process
Message
setup_wnysxz001.exe
[zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipUtility.exe" InstallSpreadOperate --NewClientID wnysxz001****** --InstallSilent false)
WnZipUtility.exe
[zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipPower32.exe" RegCM)
WnZipUtility.exe
[zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipVirtualCD.exe" /install)
WnZipPower32.exe
[zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipPower32.exe" Reg32CM)
WnZipUtility.exe
CheckRegSZValue false -
WnZipUtility.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\UserChoice
WnZipUtility.exe
WnZipUtility.exe
CheckRegSZValue false -
WnZipUtility.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zipx\UserChoice
WnZipUtility.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup_wnysxz001.exe