File name:

ClientDownloader_azure.exe.zip

Full analysis: https://app.any.run/tasks/000cc863-3bb1-4b28-8666-68f44625d9c5
Verdict: Malicious activity
Analysis date: July 05, 2024, 06:26:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

7CA6993950746A2B319DBDA239C00131

SHA1:

EA5C9AD2A5EC6EC566E168BE294F9EFDB82890E7

SHA256:

52FAF417AC90851072DD58C43BBDF3492DE631C709E051749E1213D005D1622E

SSDEEP:

12288:Nl++Pe4eWAbUStboFkPvFQE8M25GzCFUfcTa01B0r/f:Nl1ZeWAbUSts+PvFQE8M25GzsUfcTa0m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3392)
      • ClientDownloader_azure.exe (PID: 3432)
      • CLIENT~1.EXE (PID: 3252)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ClientDownloader_azure.exe (PID: 3432)
      • CLIENT~1.EXE (PID: 3252)

    • Starts a Microsoft application from unusual location

      • ClientDownloader_azure.exe (PID: 3432)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3392)
      • CLIENT~1.EXE (PID: 3252)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3392)

    • Reads the Internet Settings

      • CLIENT~1.EXE (PID: 3252)

    • Checks Windows Trust Settings

      • CLIENT~1.EXE (PID: 3252)

    • Reads settings of System Certificates

      • CLIENT~1.EXE (PID: 3252)

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3392)

  • INFO

    • Create files in a temporary directory

      • ClientDownloader_azure.exe (PID: 3432)
      • CLIENT~1.EXE (PID: 3252)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3392)

    • Checks supported languages

      • ClientDownloader_azure.exe (PID: 3432)
      • CLIENT~1.EXE (PID: 3252)

    • Checks proxy server information

      • CLIENT~1.EXE (PID: 3252)

    • Reads the computer name

      • CLIENT~1.EXE (PID: 3252)

    • Reads the machine GUID from the registry

      • CLIENT~1.EXE (PID: 3252)

    • Reads the software policy settings

      • CLIENT~1.EXE (PID: 3252)

    • Creates files or folders in the user directory

      • CLIENT~1.EXE (PID: 3252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2024:07:04 19:09:46
ZipCRC: 0x2bfd5ac1
ZipCompressedSize: 423192
ZipUncompressedSize: 468992
ZipFileName: ClientDownloader_azure.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe clientdownloader_azure.exe client~1.exe

Process information

PID
CMD
Path
Indicators
Parent process
3252C:\Users\admin\AppData\Local\Temp\IXP000.TMP\CLIENT~1.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\CLIENT~1.EXE
ClientDownloader_azure.exe
User:
admin
Company:
Parallels International GmbH.
Integrity Level:
MEDIUM
Description:
ClientDownloader
Version:
19.2 (build 23975)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\client~1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
3392"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\ClientDownloader_azure.exe.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3432"C:\Users\admin\AppData\Local\Temp\Rar$EXb3392.11521\ClientDownloader_azure.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3392.11521\ClientDownloader_azure.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3392.11521\clientdownloader_azure.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
7 817
Read events
7 750
Write events
61
Delete events
6

Modification events

(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3392) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ClientDownloader_azure.exe.zip
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
4
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3392.11521\ClientDownloader_azure.exeexecutable
MD5:1860AD93ADECF0277B63EFEA4861EB22
SHA256:6F6EFCC0963CFEAAB823CC119444A87AE8CB22BBFC39198ACA2C8FF9EE7F5A9B
3252CLIENT~1.EXEC:\Users\admin\AppData\Local\Temp\Branding\Brand.bmpimage
MD5:E591837CB8D3B780C325A1122A3EA792
SHA256:E365D7B12777E7E73A6A6A69A131B7C1A1A8E079589AA0C67F5E6C6C837DF7E0
3432ClientDownloader_azure.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\CLIENT~1.EXEexecutable
MD5:736F821A89BD220EFA4131D3AFF7BA0C
SHA256:5393B6539C8EF8A1941B3012DF279484A655E8873A1C404554B3BFF16CC5301A
3252CLIENT~1.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:A87917C68103441F45AF79B5F9A00437
SHA256:CE8C0F662B90531D0DFF323733A542C36D082F290E3D1630D9C9161E350EF6DC
3252CLIENT~1.EXEC:\Users\admin\AppData\Local\Temp\Branding\Brand.initext
MD5:7E25C8DC756B9278B2AD8B7DF1D478B0
SHA256:1AB91F08955825178D10AA8EA740188D4538EFEBC417E13CFB0630BB88270414
3252CLIENT~1.EXEC:\Users\admin\AppData\Local\Temp\Branding\Brand.icoimage
MD5:30CFE051D6960678093F425E3C4860C5
SHA256:8162F24745FB61E949EA6302D615F2925474EFB0FF64A8C106CF97293DA46297
3252CLIENT~1.EXEC:\Users\admin\AppData\Local\Temp\Branding\CLIENT~1.EXEexecutable
MD5:736F821A89BD220EFA4131D3AFF7BA0C
SHA256:5393B6539C8EF8A1941B3012DF279484A655E8873A1C404554B3BFF16CC5301A
3432ClientDownloader_azure.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Brand.icoimage
MD5:30CFE051D6960678093F425E3C4860C5
SHA256:8162F24745FB61E949EA6302D615F2925474EFB0FF64A8C106CF97293DA46297
3432ClientDownloader_azure.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Brand.bmpimage
MD5:E591837CB8D3B780C325A1122A3EA792
SHA256:E365D7B12777E7E73A6A6A69A131B7C1A1A8E079589AA0C67F5E6C6C837DF7E0
3252CLIENT~1.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:2365869258DF7A66A2121B802CA4AFD9
SHA256:D6B1932822BBD72A8E78C771717D992142348F67D625A42393719FEFBE59B0ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
3252
CLIENT~1.EXE
GET
200
216.58.212.131:80
http://c.pki.goog/r/gsr1.crl
unknown
unknown
3252
CLIENT~1.EXE
GET
200
216.58.212.131:80
http://c.pki.goog/r/r4.crl
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67a3611ec3c0260d
unknown
unknown
1372
svchost.exe
GET
200
23.216.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.216.77.10:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
3252
CLIENT~1.EXE
104.18.171.3:443
download.parallels.com
CLOUDFLARENET
unknown
3252
CLIENT~1.EXE
216.58.212.131:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.216.77.10
  • 23.216.77.18
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
download.parallels.com
  • 104.18.171.3
  • 104.18.170.3
whitelisted
c.pki.goog
  • 216.58.212.131
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ClientDownloader_azure.exe.zip