analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

43799712e3008817cb6baded15560c9d89d484e8.rl.zip

Full analysis: https://app.any.run/tasks/db219d00-b9a9-47a6-952e-33bdf021ec7e
Verdict: Malicious activity
Analysis date: April 23, 2019, 12:16:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

24FDD746C7878E32B49CC2456659BD05

SHA1:

4808D2F7C019F30728896822A0C4214ED6F2E660

SHA256:

53020FC4FBC96F249BD4C7D2DD7241A80C9384258F917DAE23BE8F7986D80C19

SSDEEP:

98304:z6Zr5YXBYqUY3Rgv7lAk3sFv1Ci/WazlxNWibWp94MCuMDA8zWfXK+itCRQFPoyg:z6Z1cV9EaVbPOglpbWvFuWfXnR6PxON

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 43799712e3008817cb6baded15560c9d89d484e8.exe (PID: 2596)
      • 43799712e3008817cb6baded15560c9d89d484e8.exe (PID: 3328)
      • ida.exe (PID: 3412)
    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3588)
      • regsvr32.exe (PID: 3380)
      • ida.exe (PID: 3412)
      • iexplore.exe (PID: 2980)
      • iexplore.exe (PID: 2704)
      • iexplore.exe (PID: 2300)
    • Registers / Runs the DLL via REGSVR32.EXE

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Changes the autorun value in the registry

      • ida.exe (PID: 3412)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 43799712e3008817cb6baded15560c9d89d484e8.exe (PID: 3328)
      • 43799712e3008817cb6baded15560c9d89d484e8.exe (PID: 2596)
      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
      • ida.exe (PID: 3412)
    • Reads Windows owner or organization settings

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Reads the Windows organization settings

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Changes IE settings (feature browser emulation)

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Creates files in the user directory

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
      • ida.exe (PID: 3412)
    • Creates COM task schedule object

      • regsvr32.exe (PID: 3588)
      • regsvr32.exe (PID: 3380)
    • Modifies the open verb of a shell class

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Starts Internet Explorer

      • ida.exe (PID: 3412)
  • INFO

    • Application was dropped or rewritten from another process

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3484)
      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Creates files in the program directory

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Creates a software uninstall entry

      • 43799712e3008817cb6baded15560c9d89d484e8.tmp (PID: 3996)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2980)
      • iexplore.exe (PID: 2300)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3024)
      • iexplore.exe (PID: 2980)
      • opera.exe (PID: 2216)
      • iexplore.exe (PID: 2704)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3608)
      • iexplore.exe (PID: 2300)
    • Application launched itself

      • iexplore.exe (PID: 2704)
      • chrome.exe (PID: 2556)
    • Changes internet zones settings

      • iexplore.exe (PID: 2704)
      • iexplore.exe (PID: 2848)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2980)
      • iexplore.exe (PID: 2300)
    • Dropped object may contain TOR URL's

      • iexplore.exe (PID: 2980)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2300)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2704)
      • chrome.exe (PID: 2556)
      • iexplore.exe (PID: 2848)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2704)
      • iexplore.exe (PID: 2848)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2704)
      • iexplore.exe (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 43799712e3008817cb6baded15560c9d89d484e8.rl
ZipUncompressedSize: 7216968
ZipCompressedSize: 7141884
ZipCRC: 0xea40313b
ZipModifyDate: 2019:04:23 11:50:03
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
22
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs 43799712e3008817cb6baded15560c9d89d484e8.exe 43799712e3008817cb6baded15560c9d89d484e8.tmp no specs 43799712e3008817cb6baded15560c9d89d484e8.exe 43799712e3008817cb6baded15560c9d89d484e8.tmp regsvr32.exe no specs regsvr32.exe no specs ida.exe opera.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3100"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\43799712e3008817cb6baded15560c9d89d484e8.rl.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2596"C:\Users\admin\Desktop\43799712e3008817cb6baded15560c9d89d484e8.exe" C:\Users\admin\Desktop\43799712e3008817cb6baded15560c9d89d484e8.exe
explorer.exe
User:
admin
Company:
WestByte
Integrity Level:
MEDIUM
Description:
Internet Download Accelerator Setup
Exit code:
0
Version:
6.17.2
3484"C:\Users\admin\AppData\Local\Temp\is-SQR39.tmp\43799712e3008817cb6baded15560c9d89d484e8.tmp" /SL5="$40142,6726713,121344,C:\Users\admin\Desktop\43799712e3008817cb6baded15560c9d89d484e8.exe" C:\Users\admin\AppData\Local\Temp\is-SQR39.tmp\43799712e3008817cb6baded15560c9d89d484e8.tmp43799712e3008817cb6baded15560c9d89d484e8.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3328"C:\Users\admin\Desktop\43799712e3008817cb6baded15560c9d89d484e8.exe" /SPAWNWND=$40134 /NOTIFYWND=$40142 C:\Users\admin\Desktop\43799712e3008817cb6baded15560c9d89d484e8.exe
43799712e3008817cb6baded15560c9d89d484e8.tmp
User:
admin
Company:
WestByte
Integrity Level:
HIGH
Description:
Internet Download Accelerator Setup
Exit code:
0
Version:
6.17.2
3996"C:\Users\admin\AppData\Local\Temp\is-6S189.tmp\43799712e3008817cb6baded15560c9d89d484e8.tmp" /SL5="$9010C,6726713,121344,C:\Users\admin\Desktop\43799712e3008817cb6baded15560c9d89d484e8.exe" /SPAWNWND=$40134 /NOTIFYWND=$40142 C:\Users\admin\AppData\Local\Temp\is-6S189.tmp\43799712e3008817cb6baded15560c9d89d484e8.tmp
43799712e3008817cb6baded15560c9d89d484e8.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3588"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\IDA\idaie.dll"C:\Windows\system32\regsvr32.exe43799712e3008817cb6baded15560c9d89d484e8.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3380"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\IDA\idaiehlp.dll"C:\Windows\system32\regsvr32.exe43799712e3008817cb6baded15560c9d89d484e8.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3412"C:\Program Files\IDA\ida.exe"C:\Program Files\IDA\ida.exe
43799712e3008817cb6baded15560c9d89d484e8.tmp
User:
admin
Company:
WestByte
Integrity Level:
MEDIUM
Description:
Internet Download Accelerator
Version:
6.17.2.1613
2216"C:\Program Files\Opera\opera.exe" https://westbyte.com/ida/opera/pluginC:\Program Files\Opera\opera.exe
ida.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
2704"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
ida.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 891
Read events
1 947
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
109
Text files
290
Unknown types
38

Dropped files

PID
Process
Filename
Type
3100WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3100.30329\43799712e3008817cb6baded15560c9d89d484e8.rl
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-MIT6A.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-H59DG.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-TA8HK.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-4OM7K.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-6LSRS.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-BVH0B.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-NCSIS.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-C60SQ.tmp
MD5:
SHA256:
399643799712e3008817cb6baded15560c9d89d484e8.tmpC:\Program Files\IDA\is-A8IGN.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
112
DNS requests
51
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2216
opera.exe
GET
200
192.35.177.64:80
http://crl.identrust.com/DSTROOTCAX3CRL.crl
US
der
896 b
whitelisted
2216
opera.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEAasQb69UoQdNZpM7kfKQNc%3D
US
der
471 b
whitelisted
2216
opera.exe
GET
200
172.217.16.131:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
546 b
whitelisted
2216
opera.exe
GET
200
66.225.197.197:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
543 b
whitelisted
2216
opera.exe
GET
200
151.139.130.5:80
http://crl.comodoca.com/COMODORSACertificationAuthority.crl
US
der
812 b
whitelisted
2216
opera.exe
GET
200
151.139.130.5:80
http://crl.usertrust.com/AddTrustExternalCARoot.crl
US
der
673 b
whitelisted
2216
opera.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAOXQPQlVpLtFek%2BmcpabOk%3D
US
der
471 b
whitelisted
2300
iexplore.exe
GET
301
104.248.22.61:80
http://mytopfiles.com/games/catalog/
US
html
245 b
unknown
2216
opera.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHX3BqUwIdeWLNY9ZlxpZaA%3D
US
der
471 b
whitelisted
2216
opera.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAkvvPDaV%2FYJiHnSopBwykc%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2980
iexplore.exe
216.58.205.232:443
ssl.google-analytics.com
Google Inc.
US
whitelisted
2216
opera.exe
82.145.215.40:443
certs.opera.com
Opera Software AS
whitelisted
2704
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2216
opera.exe
66.225.197.197:80
crl4.digicert.com
CacheNetworks, Inc.
US
whitelisted
2980
iexplore.exe
104.19.223.60:443
www.trialpay.com
Cloudflare Inc
US
shared
2980
iexplore.exe
31.13.90.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
2980
iexplore.exe
74.125.71.156:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted
2216
opera.exe
192.35.177.64:80
crl.identrust.com
IdenTrust
US
malicious
2216
opera.exe
178.62.232.239:443
westbyte.com
Digital Ocean, Inc.
NL
unknown
2980
iexplore.exe
87.250.250.90:443
an.yandex.ru
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
westbyte.com
  • 178.62.232.239
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ssl.google-analytics.com
  • 216.58.205.232
whitelisted
stats.g.doubleclick.net
  • 74.125.71.156
  • 74.125.71.154
  • 74.125.71.155
  • 74.125.71.157
whitelisted
sitecheck2.opera.com
  • 185.26.182.111
  • 185.26.182.112
  • 185.26.182.93
  • 185.26.182.94
whitelisted
certs.opera.com
  • 82.145.215.40
whitelisted
crl.identrust.com
  • 192.35.177.64
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.21.242.245
  • 2.21.242.204
whitelisted
an.yandex.ru
  • 87.250.250.90
  • 77.88.21.90
  • 93.158.134.90
  • 213.180.193.90
  • 213.180.204.90
whitelisted
www.trialpay.com
  • 104.19.223.60
  • 104.19.229.60
unknown

Threats

PID
Process
Class
Message
2556
chrome.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info