File name:

sample_130.zip

Full analysis: https://app.any.run/tasks/5aa90df6-c5c1-4de8-9eb5-1090759de574
Verdict: Malicious activity
Analysis date: June 12, 2019, 11:25:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

394DE60DC4B7D0F78DFE1210260CA2D9

SHA1:

098CBEA7E4F27843F8F1555F8C757AEE21A2AC57

SHA256:

4D2993CE62AB82DD3A59C367F46E0D04683CC706B4A3FDC991C2B4C1A2AA2000

SSDEEP:

6144:kpRgHfSSHZOuNEuIxmh5AVFrtco6JIPX0VwA62Mrip/iEpBC4+E3acZ89VvDfkS3:0Rq35fN+csxtZ6/562MgiEpacZ4VvDft

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • sample_130.exe (PID: 3524)
      • sample_130.exe (PID: 2832)
      • sample_130.exe (PID: 3164)
      • sample_130.exe (PID: 2536)

    • Connects to CnC server

      • sample_130.exe (PID: 2832)
      • sample_130.exe (PID: 2536)

    • Changes settings of System certificates

      • sample_130.exe (PID: 2832)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • sample_130.exe (PID: 2832)
      • sample_130.exe (PID: 2536)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 2944)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 3624)
      • cmd.exe (PID: 3424)

    • Adds / modifies Windows certificates

      • sample_130.exe (PID: 2832)

    • Creates files in the user directory

      • sample_130.exe (PID: 2832)

    • Executes application which crashes

      • sample_130.exe (PID: 2832)

  • INFO

    • Manual execution by user

      • sample_130.exe (PID: 3524)
      • sample_130.exe (PID: 2832)
      • sample_130.exe (PID: 3164)
      • sample_130.exe (PID: 2536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2018:05:01 18:48:23
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: sample_130/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
17
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sample_130.exe no specs sample_130.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs ntvdm.exe no specs ntvdm.exe no specs sample_130.exe no specs sample_130.exe cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1496netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLEC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2156"C:\Windows\system32\ntvdm.exe" -i2 C:\Windows\system32\ntvdm.exesample_130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2280"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\admin\AppData\Local\DirectDownloader\directdownloader.exe"C:\Windows\System32\cmd.exesample_130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2472"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\admin\AppData\Local\DirectDownloader"C:\Windows\System32\cmd.exesample_130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2536"C:\Users\admin\Desktop\sample_130.exe" C:\Users\admin\Desktop\sample_130.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sample_130.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2552"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\admin\AppData\Local\DirectDownloader\directdownloader.exe"C:\Windows\System32\cmd.exesample_130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
2832"C:\Users\admin\Desktop\sample_130.exe" C:\Users\admin\Desktop\sample_130.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sample_130.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2944"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLEC:\Windows\System32\cmd.exesample_130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3156netsh firewall delete allowedprogram "C:\Users\admin\AppData\Local\DirectDownloader\directdownloader.exe"C:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\gdi32.dll
3164"C:\Users\admin\Desktop\sample_130.exe" C:\Users\admin\Desktop\sample_130.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\sample_130.exe
c:\systemroot\system32\ntdll.dll
Total events
1 226
Read events
986
Write events
240
Delete events
0

Modification events

(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3336) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\sample_130.zip
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2832) sample_130.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
0
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3336.26615\sample_130\sample_130.exe
MD5:
SHA256:
3716ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs6421.tmp
MD5:
SHA256:
3716ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs6422.tmp
MD5:
SHA256:
2156ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs671E.tmp
MD5:
SHA256:
2156ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs671F.tmp
MD5:
SHA256:
2552cmd.exeC:\Users\admin\AppData\Local\DirectDownloader\directdownloader.exetext
MD5:
SHA256:
2832sample_130.exeC:\Users\admin\AppData\Local\Temp\optimizer.exehtml
MD5:
SHA256:
2832sample_130.exeC:\Users\admin\AppData\Local\Temp\ddlr-directdownloader-sntb.exehtml
MD5:
SHA256:
2536sample_130.exeC:\Users\admin\AppData\Local\Temp\ddlr-directdownloader-sntb.exehtml
MD5:
SHA256:
2832sample_130.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
8
DNS requests
6
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2832
sample_130.exe
GET
302
162.255.119.249:80
http://www.directdownloader.com/toolbars/ddlr-directdownloader-sntb.exe
US
html
123 b
malicious
2536
sample_130.exe
GET
302
162.255.119.249:80
http://www.directdownloader.com/toolbars/ddlr-directdownloader-sntb.exe
US
html
123 b
malicious
2832
sample_130.exe
GET
301
216.58.205.228:80
http://www.google.com/enterprise/apps/business/products.html/toolbars/ddlr-directdownloader-sntb.exe
US
html
294 b
malicious
2832
sample_130.exe
GET
302
162.255.119.249:80
http://www.directdownloader.com/toolbars/optimizer.exe
US
html
106 b
malicious
2832
sample_130.exe
GET
302
162.255.119.249:80
http://www.directdownloader.com/DirectDownloaderInstaller.exe
US
html
113 b
malicious
2536
sample_130.exe
GET
302
162.255.119.249:80
http://www.directdownloader.com/DirectDownloaderInstaller.exe
US
html
113 b
malicious
2832
sample_130.exe
GET
301
216.58.205.228:80
http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe
US
html
277 b
malicious
2536
sample_130.exe
GET
302
162.255.119.249:80
http://www.directdownloader.com/toolbars/optimizer.exe
US
html
106 b
malicious
2832
sample_130.exe
GET
302
162.255.119.249:80
http://www.directdownloader.com/check.php?v=2.3a&os=windows&version=7%20Service%20Pack%201&lang=English&referer=&offer_pre=yes&install=yes
US
html
184 b
malicious
2536
sample_130.exe
GET
301
172.217.22.68:80
http://www.google.com/enterprise/apps/business/products.html/toolbars/ddlr-directdownloader-sntb.exe
US
html
294 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2536
sample_130.exe
216.58.205.238:443
enterprise.google.com
Google Inc.
US
whitelisted
2832
sample_130.exe
172.217.21.238:443
gsuite.google.com
Google Inc.
US
whitelisted
2536
sample_130.exe
162.255.119.249:80
www.directdownloader.com
Namecheap, Inc.
US
malicious
2536
sample_130.exe
172.217.22.68:80
www.google.com
Google Inc.
US
whitelisted
2536
sample_130.exe
172.217.21.238:443
gsuite.google.com
Google Inc.
US
whitelisted
2832
sample_130.exe
162.255.119.249:80
www.directdownloader.com
Namecheap, Inc.
US
malicious
2832
sample_130.exe
216.58.205.228:80
www.google.com
Google Inc.
US
whitelisted
2832
sample_130.exe
216.58.205.238:443
enterprise.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.directdownloader.com
  • 162.255.119.249
malicious
www.google.com
  • 216.58.205.228
  • 172.217.22.68
malicious
enterprise.google.com
  • 216.58.205.238
whitelisted
gsuite.google.com
  • 172.217.21.238
whitelisted

Threats

PID
Process
Class
Message
2832
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2832
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2832
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2832
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2832
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2832
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2536
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2536
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2536
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
2536
sample_130.exe
A Network Trojan was detected
ET MALWARE Suspicious User-Agent (downloader)
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sample_130.zip