analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e290da4ee635e92bcec7.zip

Full analysis: https://app.any.run/tasks/12d8e9cc-f59a-49ab-b85f-941d11411937
Verdict: Malicious activity
Analysis date: October 14, 2019, 14:31:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7FA7152088C09BA743FF514D65B2994D

SHA1:

3476DF1751D45DE0C46864E3073F09837D7404DD

SHA256:

4F4D52D44882B57319D849C1EBAF6741E2EEA807347899AF26651E9FE450E23F

SSDEEP:

98304:QNAkeZe8p4/aOijRf9vN4Xf49r53ycrkZlza6y/83ZslVkLWCiVT8ZVD4ILO0gNd:M5eE80afjRFvJrhhkZlu6GeZgzV0DnO5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe (PID: 2700)
      • e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe (PID: 3456)
      • svchest.exe (PID: 2876)
  • SUSPICIOUS

    • Starts Internet Explorer

      • svchest.exe (PID: 2876)
    • Creates files in the Windows directory

      • e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe (PID: 3456)
    • Executable content was dropped or overwritten

      • e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe (PID: 3456)
  • INFO

    • Manual execution by user

      • e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe (PID: 3456)
      • e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe (PID: 2700)
    • Application launched itself

      • iexplore.exe (PID: 716)
    • Reads internet explorer settings

      • iexplore.exe (PID: 928)
    • Changes internet zones settings

      • iexplore.exe (PID: 716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:10:14 14:00:27
ZipCRC: 0x612397d2
ZipCompressedSize: 5576288
ZipUncompressedSize: 6193152
ZipFileName: e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe no specs e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe svchest.exe no specs iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\e290da4ee635e92bcec7.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2700"C:\Users\admin\Desktop\e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe" C:\Users\admin\Desktop\e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
3456"C:\Users\admin\Desktop\e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe" C:\Users\admin\Desktop\e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.0.0
2876C:\windows\svchest.exeC:\windows\svchest.exee290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exe
User:
admin
Company:
瑞创网络科技
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
716"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
svchest.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:716 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
734
Read events
668
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2720.914\e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.bin
MD5:
SHA256:
716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
716iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3456e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exeC:\windows\2.exeexecutable
MD5:5BB3120DC09A0CEA0529E60EFDBE5C70
SHA256:A13AD025F4B290316196D93F2F4B00A3A375764C44771503A1E46904D78141B4
716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3456e290da4ee635e92bcec7c480c82ba15c15203eadf960f7d65906874bfed846be.exeC:\windows\svchest.exeexecutable
MD5:28426C9F91123DACF9FBC9CFFE0A88E6
SHA256:BEF6CACFD8B5560AE1BE015CB94D14C53AAF0A9A049FADE1141666AA5562D2DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
716
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.fulingmall.com
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info