File name:

Statement 15 Sep.zip

Full analysis: https://app.any.run/tasks/ac1ba498-7f0c-455b-92d0-84eeb1ab187a
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 13:34:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

ED3D04078E8ED60F43235E81F57147FE

SHA1:

A1BEC5B26CFED5A03C47CA15C74F43E03AF2D0D6

SHA256:

433386E2296CB5596B696DAA19EE83DD2EB3EFA0122427B73D17500E08D1671A

SSDEEP:

384:tJU4nE6T4DjFW/UsobrgWI0wHdz3FPEiDUuxyCwuhY5:o4RTWj9H0X0w9z+iF45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Statement 15 Sep.scr (PID: 2648)

    • Uses SVCHOST.EXE for hidden code execution

      • Statement 15 Sep.scr (PID: 2648)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2932)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2932)

    • Checks for external IP

      • svchost.exe (PID: 2944)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2015:09:15 00:54:05
ZipCRC: 0x2cd8e551
ZipCompressedSize: 20728
ZipUncompressedSize: 34816
ZipFileName: Statement 15 Sep.scr
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe statement 15 sep.scr no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2648"C:\Users\admin\AppData\Local\Temp\Rar$DIa2932.30216\Statement 15 Sep.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa2932.30216\Statement 15 Sep.scrWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia2932.30216\statement 15 sep.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Statement 15 Sep.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2944svchost.exeC:\Windows\system32\svchost.exe
Statement 15 Sep.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
479
Read events
447
Write events
32
Delete events
0

Modification events

(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2932) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Statement 15 Sep.zip
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2932) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@shell32,-10162
Value:
Screen saver
(PID) Process:(2944) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2932.30216\Statement 15 Sep.screxecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
svchost.exe
GET
429
146.112.255.205:80
http://myip.dnsomatic.com/
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
svchost.exe
146.112.255.205:80
myip.dnsomatic.com
OpenDNS, LLC
malicious
2944
svchost.exe
197.149.90.166:12178
Cobranet Limited
NG
malicious
69.144.171.44:443
Charter Communications
US
unknown
2944
svchost.exe
69.9.204.114:443
Midcontinent Communications
US
unknown
69.9.204.114:443
Midcontinent Communications
US
unknown

DNS requests

Domain
IP
Reputation
myip.dnsomatic.com
  • 146.112.255.205
suspicious

Threats

PID
Process
Class
Message
2944
svchost.exe
A Network Trojan was detected
ET TROJAN Common Upatre Header Structure 2
2944
svchost.exe
Attempted Information Leak
ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Statement 15 Sep.zip