analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

c9ad9506bcccfaa987ff9fc11b91698d.zip

Full analysis: https://app.any.run/tasks/55efd1ad-1cbf-4dde-a186-2bd8c00e326e
Verdict: Malicious activity
Analysis date: December 05, 2022, 20:32:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

6FDF4A6DDD6F564589DD060BDC4DA2C3

SHA1:

68B34A47861C76B9544ADDCC2F8217EF249F4773

SHA256:

5C34C14865F4A98F6CC623710E445F479175AEAFAFCB55614B139FB61CFF9DE7

SSDEEP:

49152:K1Sbs3khfrYYv4IVKmJ5ucb8K/U0gmY9XzPJeR2tgUbUuBwdip3HvD3DF/:YSbRfr2IVKmJ5ucfLMTJvgU4ldip3fx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3256)
  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • EQNEDT32.EXE (PID: 3256)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe no specs eqnedt32.exe

Process information

PID
CMD
Path
Indicators
Parent process
1772"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\c9ad9506bcccfaa987ff9fc11b91698d.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
1000"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3256"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Total events
2 889
Read events
2 794
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
1000EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3A3B.tmp.cvr
MD5:
SHA256:
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1772.36908\44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsxbinary
MD5:C9AD9506BCCCFAA987FF9FC11B91698D
SHA256:44E65A641FB970031C5EFED324676B5018803E0A768608D3E186152102615795
1000EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FA9FF37.emfemf
MD5:0FA392C202F7506D4532E08F3D1419D0
SHA256:B7B48D3DE9EF45C190AF926E384385003DE89848FC2A38A11001B8040589A5C1
3256EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\network[1].htmhtml
MD5:06A1AC2F557B27281AFC326894F9B593
SHA256:F61B4BAB3131CD843C7044D4B3FF89F3929EF038275DF1B0FA4B498DBCC9642E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3256
EQNEDT32.EXE
GET
302
70.38.21.229:80
http://andaluciabeach.net/image/network.exe
CA
html
214 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
EQNEDT32.EXE
70.38.21.229:80
andaluciabeach.net
IWEB-AS
CA
suspicious

DNS requests

Domain
IP
Reputation
andaluciabeach.net
  • 70.38.21.229
suspicious
www.andaluciabeach.net
  • 70.38.21.229
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info