analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

xmlparse.bin.zip

Full analysis: https://app.any.run/tasks/0f4603b9-acf7-4470-8c82-fa87e7fa3ba0
Verdict: Malicious activity
Analysis date: March 21, 2019, 20:30:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3DAFD38EBA6DE8BE6D777ECF94B0BA9E

SHA1:

1A838A99AA60AD58D6012336025F574E78B6B5CD

SHA256:

5417C4BF24D953425E3006FD63AFC561AF4B1856A827F83DD25514FA122E623D

SSDEEP:

6144:41M2eNr2RWUdCD4gOSjsgsKqe6MWMw54ut0TgOB8UXao1bCNvM:WUAWqC85SohUaMw54utgSUX31iU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3612)
      • explorer.exe (PID: 1696)
    • Changes the autorun value in the registry

      • reg.exe (PID: 1252)
    • Runs app for hidden code execution

      • explorer.exe (PID: 1696)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2368)
      • explorer.exe (PID: 1696)
    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1696)
      • cmd.exe (PID: 2196)
    • Application launched itself

      • cmd.exe (PID: 2196)
    • Reads internet explorer settings

      • mmc.exe (PID: 2108)
      • mmc.exe (PID: 4052)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2132)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:03:21 17:52:00
ZipCRC: 0x2e387ed0
ZipCompressedSize: 315371
ZipUncompressedSize: 318896
ZipFileName: xmlparse.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
14
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs explorer.exe no specs explorer.exe cmd.exe no specs cmd.exe no specs reg.exe taskmgr.exe no specs mmc.exe no specs mmc.exe mmc.exe cmd.exe no specs explorer.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2368"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\xmlparse.bin.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3612"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2868"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1696C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2196"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2132cmd.exe /C reg add "HKCU\SOFTWARE\microsoft\windows\currentversion\run" /v ServiceDLL /t REG_EXPAND_SZ /d "rundll32 C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega" /fC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1252reg add "HKCU\SOFTWARE\microsoft\windows\currentversion\run" /v ServiceDLL /t REG_EXPAND_SZ /d "rundll32 C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega" /fC:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2568"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1360"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc" C:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2108"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc" C:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 561
Read events
2 880
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2368WinRAR.exeC:\Users\admin\AppData\Local\Temp\__rzi_2368.26558
MD5:
SHA256:
4052mmc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\views[1]
MD5:
SHA256:
2368WinRAR.exeC:\Users\admin\AppData\Local\Temp\xmlparse.bin.zipcompressed
MD5:E4FE95685853A3DCDBB0C1415ACD917F
SHA256:DAD2B9E55B0E0586E9B0B97519451B524894CD3BA3D755329899F29C9519D4F1
1696explorer.exeC:\Users\admin\Desktop\xmlparse.dllexecutable
MD5:6675C63A2534FD65B3B2DA751F2B393F
SHA256:BEE3B2710F7E874CE05E6B8B45CC20E021B9C00EE337238598E71E7315128333
1696explorer.exeC:\Users\admin\AppData\Local\Temp\xmlparse.dllexecutable
MD5:6675C63A2534FD65B3B2DA751F2B393F
SHA256:BEE3B2710F7E874CE05E6B8B45CC20E021B9C00EE337238598E71E7315128333
2368WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2368.26697\xmlparse.dllexecutable
MD5:6675C63A2534FD65B3B2DA751F2B393F
SHA256:BEE3B2710F7E874CE05E6B8B45CC20E021B9C00EE337238598E71E7315128333
2108mmc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\views[1]html
MD5:A726593A8261930E4786375106FC6BFE
SHA256:E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172
2108mmc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\views[1]html
MD5:A726593A8261930E4786375106FC6BFE
SHA256:E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172
4052mmc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\views[1]html
MD5:A726593A8261930E4786375106FC6BFE
SHA256:E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172
4052mmc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\views[1]html
MD5:A726593A8261930E4786375106FC6BFE
SHA256:E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info