analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

file_2f9df04568f140f5b8fe0986323a79a9_2019-10-14T15_29_53.000Z.zip

Full analysis: https://app.any.run/tasks/bed4bfb8-9f61-49b2-b247-11834ac79d29
Verdict: Malicious activity
Analysis date: October 14, 2019, 15:37:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5C52AF16BDBD878074505B13766FB34D

SHA1:

8727751CA9313B8266E6CA61F5AFDF5170D1D81A

SHA256:

5178DF32344A6D4A55EAD894C6510658108E4C1681092EC7DC280BB7E9F76344

SSDEEP:

1536:OOisPjsRnw61wvfZKkJZ5FxwVmihy6cW80q7X1/u80z9GPVlL4Pim+PbyijPjf:DisPiRvkJt6LDMX170JwVB46VysPT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • java.exe (PID: 2148)
      • java.exe (PID: 1712)
      • java.exe (PID: 292)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Manual execution by user

      • java.exe (PID: 292)
      • rundll32.exe (PID: 1416)
      • java.exe (PID: 2148)
      • java.exe (PID: 1712)
    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 1416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: None
ZipModifyDate: 2019:10:14 15:35:16
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: entry001/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs java.exe no specs rundll32.exe no specs notepad.exe no specs java.exe no specs java.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2172"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file_2f9df04568f140f5b8fe0986323a79a9_2019-10-14T15_29_53.000Z.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
292"C:\Users\admin\Desktop\java.exe" C:\Users\admin\Desktop\java.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.1710.11
1416"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\manifest.jsonC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2500"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\manifest.jsonC:\Windows\system32\NOTEPAD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2148"C:\Users\admin\Desktop\java.exe" C:\Users\admin\Desktop\java.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.1710.11
1712"C:\Users\admin\Desktop\java.exe" C:\Users\admin\Desktop\java.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.1710.11
Total events
677
Read events
585
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2172WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2172.45003\entry001\java.exe
MD5:
SHA256:
2172WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2172.45912\manifest.json
MD5:
SHA256:
1712java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:3AFE67B1A7F0D1C2638978CBB9274FA7
SHA256:C3F1EDB9F747701312B8BFAE40A2D8815E6D592567EC5E8E586C0A0A0D07371C
2148java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:17CB9596AA45630207E40BAEEFE65D07
SHA256:1B06C7D510D20821D3D9DA3608F04B7A169EB0555B5E2B0C88E08F91E2A68801
292java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:00F3F10E40DBBED5DAE827CC285EBB85
SHA256:5B9FA947E94A8497D7236578C42ACFCBBECB746000015CC7D6665BC05E5F1F68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info