analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CCSK.zip

Full analysis: https://app.any.run/tasks/350b3540-daf8-43bd-b7a2-565d2d4274a5
Verdict: Malicious activity
Analysis date: May 20, 2022, 16:07:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

24C31D6215087D34B85FD7E96E5ABD11

SHA1:

83DA1CCC2E86A9F4E7B70FADA78A065802F1B2ED

SHA256:

3D54ABA572394717766FA716D5EFF3CEC8B899AE74BD709D54DCB16DC1D1D35B

SSDEEP:

49152:EQ0Ur1nOkf9k1kVpIlrlajOHHLUCq/ONsXwQOlXCcqq2bbhwUzcu3j:E5kOu9k+IrajOLUCLY0DqVwwz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 2952)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2952)
      • Setup.exe (PID: 2224)
      • Setup.exe (PID: 3812)

    • Application was dropped or rewritten from another process

      • Setup.exe (PID: 752)
      • Setup.exe (PID: 2224)
      • Setup.exe (PID: 2616)
      • Setup.exe (PID: 3812)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 3812)
      • Setup.exe (PID: 2224)

    • Changes settings of System certificates

      • Setup.exe (PID: 3812)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2952)
      • Setup.exe (PID: 2224)
      • Setup.exe (PID: 3812)

    • Checks supported languages

      • WinRAR.exe (PID: 2952)
      • Setup.exe (PID: 2224)
      • Setup.exe (PID: 3812)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2952)
      • Setup.exe (PID: 2224)
      • Setup.exe (PID: 3812)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2952)
      • Setup.exe (PID: 2224)
      • Setup.exe (PID: 3812)

    • Creates files in the program directory

      • Setup.exe (PID: 2224)
      • Setup.exe (PID: 3812)

    • Reads Environment values

      • Setup.exe (PID: 3812)
      • Setup.exe (PID: 2224)

    • Creates a directory in Program Files

      • Setup.exe (PID: 3812)

    • Creates files in the user directory

      • Setup.exe (PID: 3812)

    • Adds / modifies Windows certificates

      • Setup.exe (PID: 3812)

    • Creates a software uninstall entry

      • Setup.exe (PID: 3812)

  • INFO

    • Checks supported languages

      • WISPTIS.EXE (PID: 2988)
      • taskmgr.exe (PID: 4068)
      • WISPTIS.EXE (PID: 1332)

    • Reads the computer name

      • WISPTIS.EXE (PID: 1332)
      • taskmgr.exe (PID: 4068)

    • Reads settings of System Certificates

      • Setup.exe (PID: 3812)

    • Manual execution by user

      • taskmgr.exe (PID: 4068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Setup.exe
ZipUncompressedSize: 2112512
ZipCompressedSize: 1840089
ZipCRC: 0xb5d4aee2
ZipModifyDate: 2019:05:24 23:23:25
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
10
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start winrar.exe setup.exe no specs setup.exe setup.exe no specs setup.exe wisptis.exe no specs wisptis.exe no specs wisptis.exe no specs wisptis.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CCSK.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
752"C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.074\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.074\Setup.exeWinRAR.exe
User:
admin
Company:
Byte01 Solutions
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
3221226540
Version:
1.2.1905.2423
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rar$exa2952.074\setup.exe
2224"C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.074\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.074\Setup.exe
WinRAR.exe
User:
admin
Company:
Byte01 Solutions
Integrity Level:
HIGH
Description:
Setup
Exit code:
0
Version:
1.2.1905.2423
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2952.074\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2616"C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.169\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.169\Setup.exeWinRAR.exe
User:
admin
Company:
Byte01 Solutions
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
3221226540
Version:
1.2.1905.2423
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2952.169\setup.exe
c:\windows\system32\ntdll.dll
3812"C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.169\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2952.169\Setup.exe
WinRAR.exe
User:
admin
Company:
Byte01 Solutions
Integrity Level:
HIGH
Description:
Setup
Exit code:
0
Version:
1.2.1905.2423
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2952.169\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2188"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXESetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
2212"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXESetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
1332"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXESetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
24
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wisptis.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
2988"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXESetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
23
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
4068"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
6 165
Read events
6 058
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
3
Text files
3
Unknown types
5

Dropped files

PID
Process
Filename
Type
3812Setup.exeC:\ProgramData\study4exam\Exams\CCSK.exmcompressed
MD5:812502F734D8E6182D5AF0577478BDCF
SHA256:726A1D5B8050EBE184A37394BC8F811CF54211DCF4835EE5EE105CFAC1AF0F48
2224Setup.exeC:\ProgramData\study4exam\Logs\Setup20220520_001.logtext
MD5:BE9D8283B43DCD4599568881076E36B8
SHA256:2AC5D1FACCB434F1370E776110F8FA1C506D8595388C5A2F7A79FE471F04CFB1
3812Setup.exeC:\Program Files\study4exam\study4exam.icoimage
MD5:2CD564C46580D36A17F9C10D29423A39
SHA256:D4798F7C92ADCD4E7FAF1F51272D91A8CC66CF735297E474CBA08E952E538291
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2952.074\manifest.mnxfli
MD5:BD5E6F4692C134247EABB99AC05CCE93
SHA256:4B18A66E1E9B8D03CDFF4E0CA359A6D34E2B283420B9461EB5F2B9DB3394C2E0
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2952.169\manifest.mnxfli
MD5:BD5E6F4692C134247EABB99AC05CCE93
SHA256:4B18A66E1E9B8D03CDFF4E0CA359A6D34E2B283420B9461EB5F2B9DB3394C2E0
3812Setup.exeC:\Program Files\study4exam\manifest.mnxfli
MD5:BD5E6F4692C134247EABB99AC05CCE93
SHA256:4B18A66E1E9B8D03CDFF4E0CA359A6D34E2B283420B9461EB5F2B9DB3394C2E0
2224Setup.exeC:\ProgramData\study4exam\Logs\Setup20220520.logtext
MD5:D115D7F49EA888BA2BE01A35325521B9
SHA256:F61DE7AB6B86405DC622F1A0C18744EFA3FD5358E70EB9970E3E9AC5CA393457
3812Setup.exeC:\Users\admin\Desktop\study4exam.lnklnk
MD5:76611DA010376FE5074264A7A0086CB8
SHA256:4419FAA8F537E64CAB2F7DDA22CFF1BF55EC55421ECD864B53C33C3749988B22
3812Setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\study4exam.lnklnk
MD5:ECE46F3A191F6467A230DB1525583A3B
SHA256:50BDE13512BA8E30AC1DB4DB7DF6FD164B92D0C6B03671A42C1615EAC5BC72A8
3812Setup.exeC:\Users\admin\AppData\Local\Temp\tmpBE90.tmpcompressed
MD5:812502F734D8E6182D5AF0577478BDCF
SHA256:726A1D5B8050EBE184A37394BC8F811CF54211DCF4835EE5EE105CFAC1AF0F48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2224
Setup.exe
78.157.192.94:443
www.practice4exam.com
UK Dedicated Servers Limited
GB
unknown
3812
Setup.exe
78.157.192.94:443
www.practice4exam.com
UK Dedicated Servers Limited
GB
unknown

DNS requests

Domain
IP
Reputation
www.practice4exam.com
  • 78.157.192.94
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CCSK.zip