File name:

ZipRipper.cmd

Full analysis: https://app.any.run/tasks/a0bb98aa-8c1f-4d3a-a6dd-641819a1989b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 19:30:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
reflection
loader
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (7834), with CRLF line terminators
MD5:

1668D255E23D267411DF031FAD3C2501

SHA1:

AFE1CE3B7AB5B8030FAFF613B363FE8B8FFCD3E1

SHA256:

44C9BC5455966861D0BDCC9D7F3EE59B5179FCF4C8877C9648805BD021985421

SSDEEP:

1536:NhJ6WUpefX3zTwisL9zdRTtfHwedIM7hews0/+AcVpv:SpefX3zTwisL9zdRTtPfdIjws0/+AcVx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 5604)
    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 4244)
  • SUSPICIOUS

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Get information on the list of running processes

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Executing commands from ".cmd" file

      • cmd.exe (PID: 4972)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 3540)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 5240)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 3540)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 5240)
    • Application launched itself

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 936)
    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4972)
    • Executes script without checking the security policy

      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 3536)
      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 4224)
    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 4224)
    • Hides command output

      • cmd.exe (PID: 4224)
    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2148)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 936)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 2148)
    • Kill processes via PowerShell

      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 4224)
    • Probably download files using WebClient

      • cmd.exe (PID: 936)
    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4244)
    • Removes files via Powershell

      • powershell.exe (PID: 4224)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 4224)
  • INFO

    • Creates files in the program directory

      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 4120)
      • powershell.exe (PID: 4244)
    • Disables trace logs

      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 4244)
    • The process uses the downloaded file

      • cmd.exe (PID: 4972)
    • Checks proxy server information

      • powershell.exe (PID: 4164)
    • Checks supported languages

      • csc.exe (PID: 2148)
      • cvtres.exe (PID: 4596)
    • Reads the machine GUID from the registry

      • csc.exe (PID: 2148)
    • Create files in a temporary directory

      • csc.exe (PID: 2148)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4224)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
28
Malicious processes
5
Suspicious processes
5

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe reg.exe no specs cmd.exe no specs cmd.exe no specs fltmc.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs attrib.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs powershell.exe cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4972C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\ZipRipper.cmd.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616TASKLIST /V /NH /FI "imagename eq cmd.exe"C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1296FINDSTR /I /C:"ZIP-Ripper"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5592C:\WINDOWS\system32\cmd.exe /c POWERSHELL -nop -c "$ProgressPreference='SilentlyContinue';irm http://www.msftncsi.com/ncsi.txt;$ProgressPreference='Continue'"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4164POWERSHELL -nop -c "$ProgressPreference='SilentlyContinue';irm http://www.msftncsi.com/ncsi.txt;$ProgressPreference='Continue'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2356REG ADD HKCU\Software\classes\.ZipRipper\shell\runas\command /f /ve /d "CMD /x /d /r SET \"f0=1\"&CALL \"%2\" %3"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
2972C:\WINDOWS\system32\cmd.exe /S /D /c" ECHO"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4120C:\WINDOWS\system32\cmd.exe /S /D /c" 1>"C:\ProgramData\launcher.ZipRipper" ( SET /p="C:\Users\admin\Desktop\" )"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5316FLTMC C:\Windows\System32\fltMC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Filter Manager Control Program
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fltmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
29 427
Read events
29 425
Write events
2
Delete events
0

Modification events

(PID) Process:(4972) cmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\system32\CMD.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(4972) cmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\system32\CMD.exe.ApplicationCompany
Value:
Microsoft Corporation
Executable files
1
Suspicious files
3
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
4244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tapdy3y2.13f.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zrhlxbw2.2yx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1480powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2tvyy0g5.x5q.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4972cmd.exeC:\ProgramData\ZipRipper.cmd.battext
MD5:1668D255E23D267411DF031FAD3C2501
SHA256:44C9BC5455966861D0BDCC9D7F3EE59B5179FCF4C8877C9648805BD021985421
4244powershell.exeC:\ProgramData\zipripper.pngimage
MD5:B0DB69F0967354264D6716BD1F15F7F9
SHA256:4A3E0C493CFC848AEB836623D754417888D218F0177337CDBF0318CFC239CB96
4120cmd.exeC:\ProgramData\launcher.ZipRippertext
MD5:B89B15B2F9AA79B81F2624130B667A74
SHA256:B0EDD6B84B01059AB7FC1DD48443706D254E25EFA3082F6BFA0D03858F44A80B
3536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xym5dayx.zbs.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4164powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:08E923BC719BF79E0E68114BB7C0993F
SHA256:08C6FF4CE1185BA441255E9206DF85A5304CAE453D7504037CC0F304C457D27B
4164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fqmtzd1k.yqd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5604powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qkzdmczk.wfa.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
21
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2972
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3568
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2972
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3568
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5604
powershell.exe
GET
200
184.24.77.30:80
http://www.msftncsi.com/ncsi.txt
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4164
powershell.exe
GET
200
184.24.77.30:80
http://www.msftncsi.com/ncsi.txt
unknown
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/illsk1lls/ZipRipper/main/.resources/zipripper.png
unknown
image
48.6 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3568
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2972
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.208:443
Ooredoo Q.S.C.
QA
unknown
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3568
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2972
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3568
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.177
  • 23.48.23.145
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.msftncsi.com
  • 184.24.77.30
  • 184.24.77.4
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
shared
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info