| File name: | ZipRipper.cmd |
| Full analysis: | https://app.any.run/tasks/a0bb98aa-8c1f-4d3a-a6dd-641819a1989b |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 10, 2025, 19:30:49 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text, with very long lines (7834), with CRLF line terminators |
| MD5: | 1668D255E23D267411DF031FAD3C2501 |
| SHA1: | AFE1CE3B7AB5B8030FAFF613B363FE8B8FFCD3E1 |
| SHA256: | 44C9BC5455966861D0BDCC9D7F3EE59B5179FCF4C8877C9648805BD021985421 |
| SSDEEP: | 1536:NhJ6WUpefX3zTwisL9zdRTtfHwedIM7hews0/+AcVpv:SpefX3zTwisL9zdRTtPfdIjws0/+AcVx |
MALICIOUS
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 5604)
Script downloads file (POWERSHELL)
- powershell.exe (PID: 4244)
SUSPICIOUS
Get information on the list of running processes
- cmd.exe (PID: 4972)
- cmd.exe (PID: 936)
Application launched itself
- cmd.exe (PID: 4972)
- cmd.exe (PID: 936)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 4972)
- cmd.exe (PID: 936)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 5592)
- cmd.exe (PID: 5540)
- cmd.exe (PID: 3540)
- cmd.exe (PID: 936)
- cmd.exe (PID: 5240)
Hides errors and continues executing the command without stopping
- powershell.exe (PID: 4164)
- powershell.exe (PID: 5604)
- powershell.exe (PID: 4224)
Executing commands from ".cmd" file
- cmd.exe (PID: 4972)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 5592)
- cmd.exe (PID: 3540)
- cmd.exe (PID: 5540)
- cmd.exe (PID: 936)
- cmd.exe (PID: 5240)
Executes script without checking the security policy
- powershell.exe (PID: 4164)
- powershell.exe (PID: 5604)
- powershell.exe (PID: 1480)
- powershell.exe (PID: 3536)
- powershell.exe (PID: 4244)
- powershell.exe (PID: 4224)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 4972)
- cmd.exe (PID: 936)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 4972)
- cmd.exe (PID: 936)
Executing commands from a ".bat" file
- cmd.exe (PID: 4972)
Hides command output
- cmd.exe (PID: 4224)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 936)
CSC.EXE is used to compile C# code
- csc.exe (PID: 2148)
Kill processes via PowerShell
- powershell.exe (PID: 4244)
- powershell.exe (PID: 4224)
Executable content was dropped or overwritten
- csc.exe (PID: 2148)
Probably download files using WebClient
- cmd.exe (PID: 936)
Uses sleep to delay execution (POWERSHELL)
- powershell.exe (PID: 4244)
Removes files via Powershell
- powershell.exe (PID: 4224)
Detects reflection assembly loader (YARA)
- powershell.exe (PID: 4224)
INFO
Creates files in the program directory
- cmd.exe (PID: 4120)
- cmd.exe (PID: 4972)
- powershell.exe (PID: 4244)
Disables trace logs
- powershell.exe (PID: 4164)
- powershell.exe (PID: 4244)
The process uses the downloaded file
- cmd.exe (PID: 4972)
Checks proxy server information
- powershell.exe (PID: 4164)
Reads the machine GUID from the registry
- csc.exe (PID: 2148)
Create files in a temporary directory
- csc.exe (PID: 2148)
Checks supported languages
- cvtres.exe (PID: 4596)
- csc.exe (PID: 2148)
Gets data length (POWERSHELL)
- powershell.exe (PID: 4244)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 4224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
149
Monitored processes
28
Malicious processes
5
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 904 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 936 | "CMD.exe" /x /d /r SET "f0=1"&CALL "C:\ProgramData\ZipRipper.cmd.bat" | C:\Windows\System32\cmd.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1296 | FINDSTR /I /C:"ZIP-Ripper" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1480 | POWERSHELL -nop -c "Get-CIMInstance -query 'select * from Win32_VideoController' | ft Name" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1616 | TASKLIST /V /NH /FI "imagename eq cmd.exe" | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1740 | ATTRIB -h "C:\ProgramData\BIT*.tmp" | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2148 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\vcc5ocme\vcc5ocme.cmdline" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 2356 | REG ADD HKCU\Software\classes\.ZipRipper\shell\runas\command /f /ve /d "CMD /x /d /r SET \"f0=1\"&CALL \"%2\" %3" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2676 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2972 | C:\WINDOWS\system32\cmd.exe /S /D /c" ECHO" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
29 427
Read events
29 425
Write events
2
Delete events
0
Modification events
| (PID) Process: | (4972) cmd.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\system32\CMD.exe.FriendlyAppName |
Value: Windows Command Processor | |||
| (PID) Process: | (4972) cmd.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\system32\CMD.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
Executable files
1
Suspicious files
3
Text files
18
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5604 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qkzdmczk.wfa.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1480 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xzokxijk.zxy.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xym5dayx.zbs.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1480 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2tvyy0g5.x5q.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ybhuhih.qwb.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4972 | cmd.exe | C:\ProgramData\ZipRipper.cmd.bat | text | |
MD5:1668D255E23D267411DF031FAD3C2501 | SHA256:44C9BC5455966861D0BDCC9D7F3EE59B5179FCF4C8877C9648805BD021985421 | |||
| 4164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zrhlxbw2.2yx.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4120 | cmd.exe | C:\ProgramData\launcher.ZipRipper | text | |
MD5:B89B15B2F9AA79B81F2624130B667A74 | SHA256:B0EDD6B84B01059AB7FC1DD48443706D254E25EFA3082F6BFA0D03858F44A80B | |||
| 4164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fqmtzd1k.yqd.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5604 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dgejrcle.y00.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
21
DNS requests
9
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2972 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4164 | powershell.exe | GET | 200 | 184.24.77.30:80 | http://www.msftncsi.com/ncsi.txt | unknown | — | — | whitelisted |
5604 | powershell.exe | GET | 200 | 184.24.77.30:80 | http://www.msftncsi.com/ncsi.txt | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/illsk1lls/ZipRipper/main/.resources/zipripper.png | unknown | image | 48.6 Kb | unknown |
3568 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3568 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2972 | RUXIMICS.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3568 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2972 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.23.227.208:443 | — | Ooredoo Q.S.C. | QA | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3568 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2972 | RUXIMICS.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3568 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.msftncsi.com |
| whitelisted |
raw.githubusercontent.com |
| shared |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4164 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
5604 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
2192 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |