analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

file_2f9df04568f140f5b8fe0986323a79a9_2019-10-14T15_29_53.000Z.zip

Full analysis: https://app.any.run/tasks/1c4d9097-30f0-459f-9858-ec6c8d7c4d8d
Verdict: Malicious activity
Analysis date: October 14, 2019, 15:38:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5C52AF16BDBD878074505B13766FB34D

SHA1:

8727751CA9313B8266E6CA61F5AFDF5170D1D81A

SHA256:

5178DF32344A6D4A55EAD894C6510658108E4C1681092EC7DC280BB7E9F76344

SSDEEP:

1536:OOisPjsRnw61wvfZKkJZ5FxwVmihy6cW80q7X1/u80z9GPVlL4Pim+PbyijPjf:DisPiRvkJt6LDMX170JwVB46VysPT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • java.exe (PID: 3996)
      • java.exe (PID: 3932)
      • java.exe (PID: 3792)
      • java.exe (PID: 1748)
  • SUSPICIOUS

    • Creates files in the user directory

      • notepad++.exe (PID: 2708)
  • INFO

    • Manual execution by user

      • cmd.exe (PID: 3672)
      • notepad++.exe (PID: 2708)
      • java.exe (PID: 3932)
      • java.exe (PID: 3792)
      • java.exe (PID: 1748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: None
ZipModifyDate: 2019:10:14 15:35:16
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: entry001/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs java.exe no specs java.exe notepad++.exe gup.exe cmd.exe no specs java.exe no specs java.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file_2f9df04568f140f5b8fe0986323a79a9_2019-10-14T15_29_53.000Z.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3932"C:\Users\admin\Desktop\java.exe" C:\Users\admin\Desktop\java.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.1710.11
3792"C:\Users\admin\Desktop\java.exe" C:\Users\admin\Desktop\java.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.1710.11
2708"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\java.exe"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
252"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
3672"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3996C:\Users\admin\Desktop\java.exeC:\Users\admin\Desktop\java.execmd.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.1710.11
1748"C:\Users\admin\Desktop\java.exe" C:\Users\admin\Desktop\java.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.1710.11
Total events
511
Read events
478
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
2152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2152.5001\entry001\java.exe
MD5:
SHA256:
1748java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:43422B521F36A95DD0D1DEBE6A5F7B69
SHA256:88FF1AC22C5319E47C6AC4CB41E5EF4658A75BE5C95BDFDF403573AAFFE39A0F
2708notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:A49B81574B8340303AAEE81C6DE27B9D
SHA256:BDCD5858EF143FDCAD7A4E62ABB6FFB42936B8A8BCB55FC68DCEAC590731F868
2708notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:06DDADD0440D1200035A4E31BCACC9A5
SHA256:60DF8253EFB92B83648E8B91B241F1AE1E230448A0846707222E1B3E6A95FA8F
2708notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
3996java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:E2746E0F3DDD41C550293126574FFD48
SHA256:579E551D584AAC3BBD6D2626CEED569B66E21D2625B1D065046840836252F26A
3932java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:2304CAE8AC4C04D6F93444F3D5D7EDE7
SHA256:55B09C58E78EA7B26539BE2FFFFCEB633A5E363D6BC56EC6858D39261D54F6F4
3792java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:B03C509A7F50ADF28DDA5996B690AFAA
SHA256:A75C1733A75AD66DCB3999844AFFA009C1CA1628F616B779F0939C199A34037D
2708notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:E792264BEC29005B9044A435FBA185AB
SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624
2708notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
195.138.255.24:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
DE
der
1.37 Kb
whitelisted
GET
200
195.138.255.16:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMpeSsuddjFyk25ZqSQ83ahjg%3D%3D
DE
der
527 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
195.138.255.16:80
isrg.trustid.ocsp.identrust.com
AS33891 Netzbetrieb GmbH
DE
suspicious
195.138.255.24:80
isrg.trustid.ocsp.identrust.com
AS33891 Netzbetrieb GmbH
DE
whitelisted
252
gup.exe
2.57.89.199:443
notepad-plus-plus.org
suspicious

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 2.57.89.199
whitelisted
isrg.trustid.ocsp.identrust.com
  • 195.138.255.24
  • 195.138.255.16
whitelisted
ocsp.int-x3.letsencrypt.org
  • 195.138.255.16
  • 195.138.255.8
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disablŒ
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093