File name:

.zip

Full analysis: https://app.any.run/tasks/d1a9c322-b22d-4688-a72d-8d8e9a8aa058
Verdict: Malicious activity
Analysis date: May 30, 2024, 20:06:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

118B664CFFC151B50257F9B058892E75

SHA1:

40BB786344E6EADBD76721E9B84011D16055E825

SHA256:

49643B1F483F32112775C305890180D4D11E12FF0A5A3202BFC1B83BC4B4C65F

SSDEEP:

98304:Gafn/rgyYEQf2H74OnI1w0noglyPRvff1bEcE1l0Eb/VIff8nbSJYpXyDIxqOVoz:4QdyHz+ZRl3Cih6k9p3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 736)
      • findstr.exe (PID: 5428)

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 7156)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6360)
      • WinRAR.exe (PID: 7016)
      • S o l a r a X.exe (PID: 7096)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7156)

    • Start notepad (likely ransomware note)

      • WinRAR.exe (PID: 6360)

    • Application launched itself

      • WinRAR.exe (PID: 6360)
      • cmd.exe (PID: 7156)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7156)
      • S o l a r a X.exe (PID: 7096)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 7156)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7156)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 7156)

    • Suspicious file concatenation

      • cmd.exe (PID: 4720)

    • The executable file from the user directory is run by the CMD process

      • Locking.pif (PID: 2740)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7156)

    • Reads the date of Windows installation

      • S o l a r a X.exe (PID: 7096)

    • Get information on the list of running processes

      • cmd.exe (PID: 7156)

    • Executing commands from ".cmd" file

      • S o l a r a X.exe (PID: 7096)

  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6360)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6908)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7016)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 7016)

    • Checks supported languages

      • S o l a r a X.exe (PID: 7096)
      • Locking.pif (PID: 2740)

    • Create files in a temporary directory

      • S o l a r a X.exe (PID: 7096)

    • Reads the computer name

      • S o l a r a X.exe (PID: 7096)
      • Locking.pif (PID: 2740)

    • Creates files or folders in the user directory

      • S o l a r a X.exe (PID: 7096)

    • Process checks computer location settings

      • S o l a r a X.exe (PID: 7096)

    • Reads mouse settings

      • Locking.pif (PID: 2740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:05:24 14:39:30
ZipCRC: 0x363d229e
ZipCompressedSize: 18
ZipUncompressedSize: 18
ZipFileName: README.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
18
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winrar.exe no specs notepad.exe no specs winrar.exe no specs winrar.exe s o l a r a  x.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs locking.pif no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
736findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
928tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1720tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2740122774\Locking.pif 122774\M C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\122774\Locking.pifcmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 2
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\inetcache\122774\locking.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
3688ping -n 5 127.0.0.1C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
4720cmd /c copy /b Flooring + Textiles + Optical + Attractions + Assumption + Typical + Miracle 122774\M C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4916findstr /V "MasBathroomsCompoundInjection" Participants C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
5428findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
5716cmd /c md 122774C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6360"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\d1a9c322-b22d-4688-a72d-8d8e9a8aa058.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
25 751
Read events
25 689
Write events
62
Delete events
0

Modification events

(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\d1a9c322-b22d-4688-a72d-8d8e9a8aa058.zip
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Comment
Operation:writeName:LeftBorder
Value:
472
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
4
Suspicious files
41
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6360.44100\ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ .rar
MD5:
SHA256:
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6360.44240\ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ .rar
MD5:
SHA256:
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6360.44583\ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ .rar
MD5:
SHA256:
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6360.44608\ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ ㅤ .rar
MD5:
SHA256:
7016WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7016.45040\ㅤ\S o l a r a X.exe
MD5:
SHA256:
7016WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7016.45040\ㅤ\scripts\scripts.dllexecutable
MD5:88FD7DBF04BCF75123D02009AEA3F7F7
SHA256:01481B9A862936FBC090BDA4033F22D7FFA5A7BFE5DC32F47C7794332B34EEC4
7016WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7016.45040\ㅤ\dll\celeryuwp.binexecutable
MD5:B0F566FC20DE341E2848A489F69A4E48
SHA256:5223F453B44BE5D13F5F249F1F23B020B75C7E237C23712D97813C430015AFC6
7016WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7016.45040\ㅤ\dll\autoexec\HOW_TO_USE.txttext
MD5:4324149D23C0D89F490249E531460C21
SHA256:A6F1509DDEB9B80F94E3EC9DE3821BB129979201C6833F472D25FAB16187C1EE
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6360.44317\README.txttext
MD5:3B67CB5204FD29E22213B4148FAC70F8
SHA256:386E4D49A8C3E7FEADE70B1130AE458970EB7E847ECF1068722F954E6ACAF6AA
7016WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7016.45040\ㅤ\dll\uwpoffvertext
MD5:CB5AE17636E975F9BF71DDF5BC542075
SHA256:14BE4B45F18E0D8C67B4F719B5144EEE88497E413709D11D85B096D8E2346310
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5632
svchost.exe
GET
200
2.22.242.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.22.242.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4232
RUXIMICS.exe
GET
200
2.22.242.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4232
RUXIMICS.exe
GET
200
184.28.66.24:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
184.28.66.24:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
20.50.73.4:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
5632
svchost.exe
GET
200
184.28.66.24:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
5632
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4232
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4232
RUXIMICS.exe
2.22.242.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5632
svchost.exe
2.22.242.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5140
MoUsoCoreWorker.exe
2.22.242.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5632
svchost.exe
184.28.66.24:80
www.microsoft.com
Data Communication Business Group
TW
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.22.242.90
  • 2.22.242.121
whitelisted
www.microsoft.com
  • 184.28.66.24
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
HDCIZfrnmkrkibbwxQlVwAYZqH.HDCIZfrnmkrkibbwxQlVwAYZqH
  • 49.13.77.253
unknown
self.events.data.microsoft.com
  • 20.189.173.6
whitelisted

Threats

No threats detected
No debug info