analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

umbrella.zip

Full analysis: https://app.any.run/tasks/48001bea-423e-41a4-a3f7-c939bde5e0aa
Verdict: Malicious activity
Analysis date: May 30, 2020, 14:14:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6097BD0FFA7A3A021F02E301983250BE

SHA1:

88E02B8CF22B9261F7C00D8047B05FFE166C1113

SHA256:

3A8EF6126814CA02F9440DEE890706428628AC67E1401F9D2726AE99447E0772

SSDEEP:

393216:AEaXZMbLkezb7whzk3/L1rnIj3nCEQefAvUwx:yXOfkezfxL1rIjSEQWBa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • UmbrellaInstaller.exe (PID: 3880)
      • UmbrellaInstaller.exe (PID: 2852)
      • UmbrellaInstaller.exe (PID: 2384)
      • UmbrellaInstaller.exe (PID: 3204)

    • Loads dropped or rewritten executable

      • UmbrellaInstaller.exe (PID: 2852)
      • UmbrellaInstaller.exe (PID: 3204)

    • Loads the Task Scheduler DLL interface

      • UmbrellaInstaller.exe (PID: 2852)
      • UmbrellaInstaller.exe (PID: 3204)

    • Changes settings of System certificates

      • UmbrellaInstaller.exe (PID: 2852)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3244)
      • UmbrellaInstaller.exe (PID: 2852)
      • UmbrellaInstaller.exe (PID: 3204)

    • Creates files in the user directory

      • UmbrellaInstaller.exe (PID: 2852)
      • UmbrellaInstaller.exe (PID: 3204)

    • Adds / modifies Windows certificates

      • UmbrellaInstaller.exe (PID: 2852)

  • INFO

    • Manual execution by user

      • UmbrellaInstaller.exe (PID: 3880)
      • UmbrellaInstaller.exe (PID: 2852)
      • UmbrellaInstaller.exe (PID: 3204)
      • UmbrellaInstaller.exe (PID: 2384)

    • Reads settings of System Certificates

      • UmbrellaInstaller.exe (PID: 2852)

    • Application launched itself

      • msiexec.exe (PID: 3360)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3128)
      • MsiExec.exe (PID: 3968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:05:16 14:33:06
ZipCRC: 0x68a66cbf
ZipCompressedSize: 13997165
ZipUncompressedSize: 15305448
ZipFileName: UmbrellaInstaller.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe umbrellainstaller.exe no specs umbrellainstaller.exe msiexec.exe no specs msiexec.exe no specs umbrellainstaller.exe no specs umbrellainstaller.exe msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3244"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\umbrella.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3880"C:\Users\admin\Desktop\UmbrellaInstaller.exe" C:\Users\admin\Desktop\UmbrellaInstaller.exeexplorer.exe
User:
admin
Company:
uc.zone
Integrity Level:
MEDIUM
Description:
Umbrella Loader Installer
Exit code:
3221226540
Version:
1.0.0
2852"C:\Users\admin\Desktop\UmbrellaInstaller.exe" C:\Users\admin\Desktop\UmbrellaInstaller.exe
explorer.exe
User:
admin
Company:
uc.zone
Integrity Level:
HIGH
Description:
Umbrella Loader Installer
Exit code:
1603
Version:
1.0.0
3360C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3128C:\Windows\system32\MsiExec.exe -Embedding 24D79953E9A78CA0A17DA724C10F03A8 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2384"C:\Users\admin\Desktop\UmbrellaInstaller.exe" C:\Users\admin\Desktop\UmbrellaInstaller.exeexplorer.exe
User:
admin
Company:
uc.zone
Integrity Level:
MEDIUM
Description:
Umbrella Loader Installer
Exit code:
3221226540
Version:
1.0.0
3204"C:\Users\admin\Desktop\UmbrellaInstaller.exe" C:\Users\admin\Desktop\UmbrellaInstaller.exe
explorer.exe
User:
admin
Company:
uc.zone
Integrity Level:
HIGH
Description:
Umbrella Loader Installer
Exit code:
1603
Version:
1.0.0
3968C:\Windows\system32\MsiExec.exe -Embedding D0B24334962729C4B66E52E1715C575F CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
1 904
Read events
689
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
0
Text files
132
Unknown types
0

Dropped files

PID
Process
Filename
Type
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Roaming\uc.zone\Umbrella Loader 1.0.0\install\holder0.aiph
MD5:
SHA256:
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Local\Temp\MSI54DF.tmp
MD5:
SHA256:
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Local\Temp\MSI557C.tmp
MD5:
SHA256:
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Local\Temp\MSI558D.tmp
MD5:
SHA256:
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Roaming\uc.zone\Umbrella Loader 1.0.0\install\68D1BE4\UmbrellaLoader.msiexecutable
MD5:8C796F198144F60F778C0E2366D7F18A
SHA256:D38E9EC6D1FB5D703275B3078F1D9CE95EBA8C15879D0972511AF0FD5C18EEB5
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_2852\remove.pngimage
MD5:897B1844BCA99F42FA3D527FF2091133
SHA256:3A05E6DECEA8E68C1946E82AB0F9197715D579B6B199F3A69BD958B7327D0BFE
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_2852\frame_top_left_inactive.bmpimage
MD5:1966F4308086A013B8837DDDF88F67AD
SHA256:17B5CD496D98DB14E7C9757E38892883C7B378407E1F136889A9921ABE040741
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_2852\backgroundimage
MD5:A0EFB0E7B9CEE25B09E09A1A64E96BA6
SHA256:F044F542BC46464054084C63596877F06C6E2C215C0E954C4ACE9787CED82787
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Roaming\uc.zone\Umbrella Loader 1.0.0\install\decoder.dllexecutable
MD5:939228F374510807B94D2E32C80744B6
SHA256:63B4E30B510150E188BFBC31301CCE731FB5CF7557AC17EE2BA099A198FC40D0
2852UmbrellaInstaller.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_2852\frame_bottom_left_inactive.bmpimage
MD5:821930553EF406B0C82D9420D3351C78
SHA256:D5E9F3533CB7D727611AAFAA5AF22FA07EFEAEC0391A011ECF9803BED867DE7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
umbrella.zip