analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Release.zip

Full analysis: https://app.any.run/tasks/3fec42a8-be00-44d8-95ca-e358a7e05762
Verdict: Malicious activity
Analysis date: January 14, 2022, 21:22:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

0B77799FBBFEFF4CC608830AA4C543E8

SHA1:

10CF3C68218E9FEF2A370CDE0C0C249D078809C5

SHA256:

57289250571863ECF91CCF60CA6386DB00410E4401914AA5FF06728F8443DBAC

SSDEEP:

196608:0XpwF21zF2cJ4IKKORJwfZ6o1NhH0hxrlaboAwlTwF215cEV2cuKfKKORJwFZ6mH:apwQ1B4IKBiR6otH0nrlaEAw5wQ13SKj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3536)
      • Etiff.exe (PID: 2984)

    • Application was dropped or rewritten from another process

      • Etiff.exe (PID: 2984)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3624)
      • Etiff.exe (PID: 2984)

    • Reads the computer name

      • WinRAR.exe (PID: 3624)
      • Etiff.exe (PID: 2984)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3624)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3624)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3624)

    • Reads Environment values

      • Etiff.exe (PID: 2984)

    • Reads default file associations for system extensions

      • Etiff.exe (PID: 2984)

  • INFO

    • Manual execution by user

      • Etiff.exe (PID: 2984)

    • Reads settings of System Certificates

      • Etiff.exe (PID: 2984)

    • Checks Windows Trust Settings

      • Etiff.exe (PID: 2984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2022:01:14 14:53:13
ZipCRC: 0x0f3da4f2
ZipCompressedSize: 123983
ZipUncompressedSize: 315392
ZipFileName: Release/mysql.data.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs etiff.exe

Process information

PID
CMD
Path
Indicators
Parent process
3624"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Release.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3536"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2984"C:\Users\admin\Desktop\Release\Etiff.exe" C:\Users\admin\Desktop\Release\Etiff.exe
Explorer.EXE
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Etiff
Version:
3.0.0.0
Total events
11 492
Read events
11 247
Write events
0
Delete events
0

Modification events

No data
Executable files
35
Suspicious files
0
Text files
13
Unknown types
1

Dropped files

PID
Process
Filename
Type
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\TiffCrop.exe.deployexecutable
MD5:BABA636192DBD6DBABD7D6B13021A887
SHA256:FB2E25B2DA1CA489B59A09BF064F3DDD96538398B01DB3DD52AFBBFFC345A5AB
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\Leadtools.WinForms.dll.deployexecutable
MD5:3B4A114CA4B954C9B7F718D5DA048029
SHA256:EF2859E55C19490E67DBDCC939DD1E02517D363DB08243DDCE97C2A384DC42CD
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\Leadtools.ImageProcessing.Effects.dll.deployexecutable
MD5:570D329A73D264E510E1486AC1774512
SHA256:06B283D1B708B9DB13FD04948CBF0FDDA866226C85468FA9F8EE30944323F30B
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\GdPicture.NET.dll.deployexecutable
MD5:87898566EB201D031F0C1D0A73D6ACF8
SHA256:ED1270B5F483F588F84226BE163CB3340622C91B827A94BC749A874C4580CE6A
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\setup.exeexecutable
MD5:9D4671B68C0CCC7F553546BC92ADE90C
SHA256:ADA201093CF83A02062397B8314B59D98177DE0E574B8992510987E760D92E72
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\Leadtools.Codecs.Tif.dll.deployexecutable
MD5:15AA9C77BFFF95DC5C7A98C046C683A3
SHA256:254B2A9DD3C32A3E824D25750D8F4CB8E385EE6D99275EC140DBC8E48EE352FA
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\Leadtools.Codecs.Fax.dll.deployexecutable
MD5:5F1922744D6FBBEB4C2650C7392BFF25
SHA256:8573386A05986A98A7ED206BB9235E1037D72294C8DC422D4325E089B8DC34AB
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\GdPicture.NET.PDF.dll.deployexecutable
MD5:CA45469CDA4E19667579E8337CED3BFA
SHA256:23459EFF6B2A5313211A782BCE9B112894419A3227B38D5599B5302AD31318CC
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\Leadtools.Codecs.dll.deployexecutable
MD5:84A5AAF9E7891E35E239587B0BE6A496
SHA256:0DA8B74BBF94AD0957819F4077E6976226BCF5FF48AECF3ECD7AA7F77E524AE3
3624WinRAR.exeC:\Users\admin\Desktop\Release\app.publish\Application Files\Etiff_2_0_0_31\Leadtools.ImageProcessing.Utilities.dll.deployexecutable
MD5:E864366BD24FDBF7D455AA0D3D5BF598
SHA256:A296DABD98FAFEC0425DFA0ED3D88E7BCC76BAE11DD31F0B9392AF2CE225B638
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.67:63342
malicious
192.168.100.67:63051
malicious
192.168.100.67:63341
malicious
192.168.100.67:63602
malicious
192.168.100.67:63050
malicious
192.168.100.67:62825
malicious
192.168.100.67:64400
malicious
192.168.100.67:63603
malicious
192.168.100.67:64401
malicious

DNS requests

No data

Threats

No threats detected
Process
Message
Etiff.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Etiff.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Etiff.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Etiff.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Etiff.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Etiff.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Etiff.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Etiff.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Etiff.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Etiff.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Release.zip