File name:

ZipRipper.cmd

Full analysis: https://app.any.run/tasks/a0bb98aa-8c1f-4d3a-a6dd-641819a1989b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 19:30:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
reflection
loader
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (7834), with CRLF line terminators
MD5:

1668D255E23D267411DF031FAD3C2501

SHA1:

AFE1CE3B7AB5B8030FAFF613B363FE8B8FFCD3E1

SHA256:

44C9BC5455966861D0BDCC9D7F3EE59B5179FCF4C8877C9648805BD021985421

SSDEEP:

1536:NhJ6WUpefX3zTwisL9zdRTtfHwedIM7hews0/+AcVpv:SpefX3zTwisL9zdRTtPfdIjws0/+AcVx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 5604)
    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 4244)
  • SUSPICIOUS

    • Get information on the list of running processes

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Application launched itself

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Executes script without checking the security policy

      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 3536)
      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 4224)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 3540)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 5240)
    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 4224)
    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 3540)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 5240)
    • Executing commands from ".cmd" file

      • cmd.exe (PID: 4972)
    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4972)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Hides command output

      • cmd.exe (PID: 4224)
    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2148)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 936)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 2148)
    • Probably download files using WebClient

      • cmd.exe (PID: 936)
    • Kill processes via PowerShell

      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 4224)
    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4244)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 4224)
    • Removes files via Powershell

      • powershell.exe (PID: 4224)
  • INFO

    • Disables trace logs

      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 4244)
    • Creates files in the program directory

      • cmd.exe (PID: 4120)
      • cmd.exe (PID: 4972)
      • powershell.exe (PID: 4244)
    • The process uses the downloaded file

      • cmd.exe (PID: 4972)
    • Checks proxy server information

      • powershell.exe (PID: 4164)
    • Reads the machine GUID from the registry

      • csc.exe (PID: 2148)
    • Checks supported languages

      • csc.exe (PID: 2148)
      • cvtres.exe (PID: 4596)
    • Create files in a temporary directory

      • csc.exe (PID: 2148)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4244)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
28
Malicious processes
5
Suspicious processes
5

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe reg.exe no specs cmd.exe no specs cmd.exe no specs fltmc.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs powershell.exe cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4972C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\ZipRipper.cmd.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616TASKLIST /V /NH /FI "imagename eq cmd.exe"C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1296FINDSTR /I /C:"ZIP-Ripper"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5592C:\WINDOWS\system32\cmd.exe /c POWERSHELL -nop -c "$ProgressPreference='SilentlyContinue';irm http://www.msftncsi.com/ncsi.txt;$ProgressPreference='Continue'"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4164POWERSHELL -nop -c "$ProgressPreference='SilentlyContinue';irm http://www.msftncsi.com/ncsi.txt;$ProgressPreference='Continue'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2356REG ADD HKCU\Software\classes\.ZipRipper\shell\runas\command /f /ve /d "CMD /x /d /r SET \"f0=1\"&CALL \"%2\" %3"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
2972C:\WINDOWS\system32\cmd.exe /S /D /c" ECHO"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4120C:\WINDOWS\system32\cmd.exe /S /D /c" 1>"C:\ProgramData\launcher.ZipRipper" ( SET /p="C:\Users\admin\Desktop\" )"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5316FLTMC C:\Windows\System32\fltMC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Filter Manager Control Program
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fltmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
29 427
Read events
29 425
Write events
2
Delete events
0

Modification events

(PID) Process:(4972) cmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\system32\CMD.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(4972) cmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\system32\CMD.exe.ApplicationCompany
Value:
Microsoft Corporation
Executable files
1
Suspicious files
3
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
4164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zrhlxbw2.2yx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5604powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qkzdmczk.wfa.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3536powershell.exeC:\Users\admin\AppData\Local\Temp\vcc5ocme\vcc5ocme.cmdlinetext
MD5:A6935AD87D70D1959C96C9C3F51D7EF7
SHA256:D4BEC87563C7D8C5C4C19F411899422A0E46F035D3399C5738DBC44A13A3FF50
3536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ybhuhih.qwb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2p2drqgl.wen.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3536powershell.exeC:\Users\admin\AppData\Local\Temp\vcc5ocme\vcc5ocme.0.cstext
MD5:2243CF02366045A3304A61B0D91B4AAA
SHA256:0AED36513811D5A2A36EC7E4AA2FC98FF931CF27D6F7E5394515B8AAFAE9B252
2148csc.exeC:\Users\admin\AppData\Local\Temp\vcc5ocme\vcc5ocme.dllexecutable
MD5:07169315B2E64C5173A626C9E6602702
SHA256:B43930330D8392288849EFE519025CF600C457D5D7151A4ED9EE8B745AC272C4
2148csc.exeC:\Users\admin\AppData\Local\Temp\vcc5ocme\CSC784154B7A8A548C89D87DDE958D3BB9.TMPbinary
MD5:713F81A6D95C3665EF950FE17C78AD38
SHA256:718D338A69178B8084B10F723085BF451FA11F82DA9D7E7686DFCA7D9F1043CD
4164powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:08E923BC719BF79E0E68114BB7C0993F
SHA256:08C6FF4CE1185BA441255E9206DF85A5304CAE453D7504037CC0F304C457D27B
4972cmd.exeC:\ProgramData\ZipRipper.cmd.battext
MD5:1668D255E23D267411DF031FAD3C2501
SHA256:44C9BC5455966861D0BDCC9D7F3EE59B5179FCF4C8877C9648805BD021985421
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
21
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2972
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3568
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3568
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5604
powershell.exe
GET
200
184.24.77.30:80
http://www.msftncsi.com/ncsi.txt
unknown
whitelisted
4164
powershell.exe
GET
200
184.24.77.30:80
http://www.msftncsi.com/ncsi.txt
unknown
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/illsk1lls/ZipRipper/main/.resources/zipripper.png
unknown
image
48.6 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3568
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2972
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.208:443
Ooredoo Q.S.C.
QA
unknown
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3568
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2972
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3568
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.177
  • 23.48.23.145
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.msftncsi.com
  • 184.24.77.30
  • 184.24.77.4
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
shared
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info