analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NoEscape.zip

Full analysis: https://app.any.run/tasks/ad44219f-3eb2-4655-9834-b1c59a96ce95
Verdict: Malicious activity
Analysis date: November 29, 2020, 12:28:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EF4FDF65FC90BFDA8D1D2AE6D20AFF60

SHA1:

9431227836440C78F12BFB2CB3247D59F4D4640B

SHA256:

47F6D3A11FFD015413FFB96432EC1F980FBA5DD084990DD61A00342C5F6DA7F8

SSDEEP:

12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 2416)
    • Changes internet zones settings

      • ie4uinit.exe (PID: 2468)
  • SUSPICIOUS

    • Application launched itself

      • ie4uinit.exe (PID: 2468)
      • rundll32.exe (PID: 2416)
      • chrmstp.exe (PID: 2504)
      • chrmstp.exe (PID: 3384)
    • Executed as Windows Service

      • taskhost.exe (PID: 2688)
    • Creates files in the program directory

      • ie4uinit.exe (PID: 2468)
      • chrmstp.exe (PID: 2504)
      • chrmstp.exe (PID: 3384)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • ie4uinit.exe (PID: 2468)
    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 2468)
      • rundll32.exe (PID: 2416)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1452)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2592)
  • INFO

    • Manual execution by user

      • opera.exe (PID: 2576)
      • ie4uinit.exe (PID: 2468)
      • cmd.exe (PID: 1452)
      • chrmstp.exe (PID: 2504)
      • ie4uinit.exe (PID: 2772)
      • chrome.exe (PID: 2592)
      • verclsid.exe (PID: 1396)
    • Creates files in the user directory

      • opera.exe (PID: 2576)
    • Reads the hosts file

      • chrome.exe (PID: 2996)
      • chrome.exe (PID: 2592)
    • Changes settings of System certificates

      • chrome.exe (PID: 2996)
    • Reads settings of System Certificates

      • chrome.exe (PID: 2996)
    • Application launched itself

      • chrome.exe (PID: 2592)
    • Adds / modifies Windows certificates

      • chrome.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: NoEscape.exe
ZipUncompressedSize: 682655
ZipCompressedSize: 631426
ZipCRC: 0x52a4a52a
ZipModifyDate: 2020:11:29 12:11:29
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
97
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs opera.exe taskhost.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs ie4uinit.exe no specs chrmstp.exe no specs chrmstp.exe no specs verclsid.exe no specs cmd.exe no specs taskkill.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2392"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NoEscape.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2576"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
2688"taskhost.exe"C:\Windows\system32\taskhost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Tasks
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2468"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\System32\ie4uinit.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
552C:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\System32\ie4uinit.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2268C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36C:\Windows\System32\rundll32.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2416C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /mC:\Windows\System32\rundll32.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2620C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\RunDll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1252C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\RunDll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2772"C:\Windows\System32\ie4uinit.exe" -DisableSSL3C:\Windows\System32\ie4uinit.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 894
Read events
1 381
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
71
Text files
799
Unknown types
33

Dropped files

PID
Process
Filename
Type
2576opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr169.tmp
MD5:
SHA256:
2576opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr199.tmp
MD5:
SHA256:
2576opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
2576opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UILVZM9J7U9YRGRSX864.temp
MD5:
SHA256:
2576opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr2ADC.tmp
MD5:
SHA256:
2576opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:43E6E7857868035DBD2CAC313544034B
SHA256:7B38636151B053040FA857F741C6875559D9EB5B943E1C55BE6D9B3172DC81D6
2576opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:264408F76F60EFDCC08E540CC9DF46EE
SHA256:1E5E999CFA839BF698FACAE22C4DA5B5A97E828B1A0942A913ACFAD9986C50E9
2576opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF100d02.TMPbinary
MD5:2705C7592CB636F56CFD29AFC9E7C131
SHA256:4CA9E9F6504E75871CF3FB660A931A29770BB1A7197A9AEBBB8C60EBB166CAED
2576opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.datbinary
MD5:1AA8644C9261DC10F7247F6A145C1DD2
SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3
2576opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.datbinary
MD5:1AA8644C9261DC10F7247F6A145C1DD2
SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
43
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2576
opera.exe
GET
302
142.250.74.195:80
http://www.google.com.ua/search?client=opera&q=fajgiioagsgua&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
342 b
whitelisted
2996
chrome.exe
GET
200
74.125.8.58:80
http://r4---sn-5hne6n7z.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=45.86.201.44&mm=28&mn=sn-5hne6n7z&ms=nvh&mt=1606652655&mv=m&mvi=4&pl=25&shardbypass=yes
US
crx
293 Kb
whitelisted
2576
opera.exe
GET
302
142.250.74.195:80
http://www.google.com.ua/search?client=opera&q=fuck&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
333 b
whitelisted
2996
chrome.exe
GET
302
142.250.74.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
518 b
whitelisted
2576
opera.exe
GET
200
172.217.21.195:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDNyv5iQFRFjQgAAAAAYtay
US
der
472 b
whitelisted
2576
opera.exe
GET
200
172.217.21.195:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
950 b
whitelisted
2576
opera.exe
GET
302
142.250.74.195:80
http://www.google.com.ua/search?q=fajgiioagsgua&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
326 b
whitelisted
2576
opera.exe
GET
200
142.250.80.14:80
http://clients1.google.com/complete/search?q=fuck&client=opera-suggest-omnibox&hl=de
US
text
31 b
whitelisted
2576
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
592 b
whitelisted
2576
opera.exe
GET
302
142.250.74.195:80
http://www.google.com.ua/search?q=fuck&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
317 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2576
opera.exe
142.250.74.195:443
www.google.com.ua
Google Inc.
US
whitelisted
2576
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2576
opera.exe
142.250.74.195:80
www.google.com.ua
Google Inc.
US
whitelisted
2576
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
2576
opera.exe
82.145.216.15:80
sitecheck2.opera.com
Opera Software AS
suspicious
2576
opera.exe
172.217.21.195:80
crl.pki.goog
Google Inc.
US
whitelisted
2576
opera.exe
142.250.80.14:80
clients1.google.com
Google Inc.
US
whitelisted
2996
chrome.exe
172.217.22.3:443
www.gstatic.com
Google Inc.
US
whitelisted
2996
chrome.exe
172.217.21.206:443
clients2.google.com
Google Inc.
US
whitelisted
2576
opera.exe
142.250.64.67:443
id.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 142.250.80.14
whitelisted
www.google.com.ua
  • 142.250.74.195
whitelisted
sitecheck2.opera.com
  • 82.145.216.15
  • 82.145.216.16
whitelisted
crl.pki.goog
  • 172.217.21.195
whitelisted
ocsp.pki.goog
  • 172.217.21.195
whitelisted
id.google.com.ua
  • 172.217.21.195
whitelisted
id.google.com
  • 142.250.64.67
whitelisted
www.gstatic.com
  • 172.217.22.3
whitelisted

Threats

No threats detected
No debug info