analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2oi7.cn3vrt.rsptify1.2.1.zip

Full analysis: https://app.any.run/tasks/12da10b3-1ae9-4c2b-96ed-24e75c9f9116
Verdict: Malicious activity
Analysis date: October 04, 2022, 21:19:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

18ACE70B892558B892013F8CEB43B606

SHA1:

886977A71BF963C5A69006AD248CB0E55D68E1C7

SHA256:

601FEB7803DD08DBFBDC61C060CA408A2EF35859EC1605DB0E0BDCA02E2D39CA

SSDEEP:

49152:OT69/lxHwmgCaZO8BMQo5Ftqwuj/8YqN0j+Gks+dkBQSw5/8O:OGbxHwHMTtqwuWN0jCoBQSwxl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SpotifyConverter.exe (PID: 588)
      • SpotifyConverter.exe (PID: 2548)
      • SpotifyConverter.exe (PID: 3848)
      • Patch.exe (PID: 2440)
      • Patch.exe (PID: 552)
      • SpotifyConverter.exe (PID: 2600)
    • Drops executable file immediately after starts

      • SpotifyConverter.exe (PID: 2548)
      • WinRAR.exe (PID: 4048)
      • SpotifyConverter.tmp (PID: 3664)
      • Patch.exe (PID: 552)
    • Loads dropped or rewritten executable

      • SpotifyConverter.exe (PID: 3848)
      • SpotifyConverter.exe (PID: 2600)
      • Patch.exe (PID: 552)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 4048)
      • SpotifyConverter.exe (PID: 2548)
      • SpotifyConverter.tmp (PID: 3664)
      • SpotifyConverter.exe (PID: 3848)
      • Patch.exe (PID: 552)
      • SpotifyConverter.exe (PID: 2600)
    • Reads the computer name

      • WinRAR.exe (PID: 4048)
      • SpotifyConverter.tmp (PID: 3664)
      • SpotifyConverter.exe (PID: 3848)
      • Patch.exe (PID: 552)
    • Executable content was dropped or overwritten

      • SpotifyConverter.exe (PID: 2548)
      • WinRAR.exe (PID: 4048)
      • SpotifyConverter.tmp (PID: 3664)
      • Patch.exe (PID: 552)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 4048)
      • SpotifyConverter.exe (PID: 2548)
      • SpotifyConverter.tmp (PID: 3664)
      • Patch.exe (PID: 552)
    • Reads the Windows organization settings

      • SpotifyConverter.tmp (PID: 3664)
    • Creates a directory in Program Files

      • SpotifyConverter.tmp (PID: 3664)
    • Reads Windows owner or organization settings

      • SpotifyConverter.tmp (PID: 3664)
    • Starts Internet Explorer

      • SpotifyConverter.tmp (PID: 3664)
    • Creates files in the user directory

      • SpotifyConverter.exe (PID: 3848)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2172)
    • Creates files in the program directory

      • Patch.exe (PID: 552)
  • INFO

    • Application was dropped or rewritten from another process

      • SpotifyConverter.tmp (PID: 3664)
    • Creates files in the program directory

      • SpotifyConverter.tmp (PID: 3664)
    • Reads the computer name

      • iexplore.exe (PID: 3300)
      • iexplore.exe (PID: 2172)
      • explorer.exe (PID: 2400)
    • Checks supported languages

      • iexplore.exe (PID: 3300)
      • iexplore.exe (PID: 2172)
      • explorer.exe (PID: 2400)
    • Changes internet zones settings

      • iexplore.exe (PID: 3300)
    • Application launched itself

      • iexplore.exe (PID: 3300)
    • Creates a software uninstall entry

      • SpotifyConverter.tmp (PID: 3664)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 3300)
    • Manual execution by user

      • Patch.exe (PID: 2440)
      • Patch.exe (PID: 552)
      • explorer.exe (PID: 2400)
      • SpotifyConverter.exe (PID: 2600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start winrar.exe spotifyconverter.exe no specs spotifyconverter.exe spotifyconverter.tmp spotifyconverter.exe iexplore.exe no specs iexplore.exe explorer.exe no specs patch.exe no specs patch.exe spotifyconverter.exe

Process information

PID
CMD
Path
Indicators
Parent process
4048"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\2oi7.cn3vrt.rsptify1.2.1.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
588"C:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\SpotifyConverter.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\SpotifyConverter.exeWinRAR.exe
User:
admin
Company:
TunesKit, Inc.
Integrity Level:
MEDIUM
Description:
TunesKit Spotify Converter Setup
Exit code:
3221226540
Version:
1.2.1.100
2548"C:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\SpotifyConverter.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\SpotifyConverter.exe
WinRAR.exe
User:
admin
Company:
TunesKit, Inc.
Integrity Level:
HIGH
Description:
TunesKit Spotify Converter Setup
Exit code:
0
Version:
1.2.1.100
3664"C:\Users\admin\AppData\Local\Temp\is-5SUM8.tmp\SpotifyConverter.tmp" /SL5="$4012C,1609185,134144,C:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\SpotifyConverter.exe" C:\Users\admin\AppData\Local\Temp\is-5SUM8.tmp\SpotifyConverter.tmp
SpotifyConverter.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
3848"C:\Program Files\TunesKit Spotify Converter\SpotifyConverter.exe"C:\Program Files\TunesKit Spotify Converter\SpotifyConverter.exe
SpotifyConverter.tmp
User:
admin
Company:
TunesKit
Integrity Level:
HIGH
Description:
TunesKit Application
Exit code:
0
Version:
1, 2, 1, 100
3300"C:\Program Files\Internet Explorer\iexplore.exe" http://www.tuneskit.com/spotify-converter-for-win/user-guide.htmlC:\Program Files\Internet Explorer\iexplore.exeSpotifyConverter.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2172"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3300 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2400"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2440"C:\Program Files\TunesKit Spotify Converter\Patch.exe" C:\Program Files\TunesKit Spotify Converter\Patch.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
552"C:\Program Files\TunesKit Spotify Converter\Patch.exe" C:\Program Files\TunesKit Spotify Converter\Patch.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Total events
3 697
Read events
3 540
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
4
Text files
127
Unknown types
9

Dropped files

PID
Process
Filename
Type
4048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\Patch.exeexecutable
MD5:43DF18B1EC765D05B604CA8087054D80
SHA256:C8BCC42E819EA0D0131DAE43C16EDC0EECBDE80A01C838DA9DBAA26255DC6E96
3664SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\SpotifyConverter.exeexecutable
MD5:881C29C9CB868559B6F31AAF31C2B7DD
SHA256:76CAD9633849E2C1274D72B8F74D91A1E664348FC6621A7AE7409F4E601D6E03
4048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\Visit - PirateCity.NET.urlurl
MD5:84FDEBE5032C3E8D87892D8637475465
SHA256:90209D2C9B1EB8A48340D65B28E972043E280BA7107EB072A154BED87F4EE1A3
4048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\instructions.txttext
MD5:6595EC68C031B7ACB2BB46D41AA4606F
SHA256:2E6E55C082CC759C19ED55A9B342628FBDE2FEA2C36B7F4BFF2D78E57191334D
3664SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\ConvertLibrary.dllexecutable
MD5:2DB94CFBE89DF4B165E53EB77962E000
SHA256:5B28329963F548AF9304B9F4801437F978133359EF9DE7473D7F15E053A10F8F
4048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4048.6037\SpotifyConverter.exeexecutable
MD5:F40F93D6332DF1FF057B89C8E84DAB26
SHA256:565A33F00D71F1464C60FC4BC830389F8629B3D425D56CD50872854EAC6D4745
3664SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\is-20S8Q.tmpexecutable
MD5:2DB94CFBE89DF4B165E53EB77962E000
SHA256:5B28329963F548AF9304B9F4801437F978133359EF9DE7473D7F15E053A10F8F
3664SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\is-2NJ0K.tmpexecutable
MD5:881C29C9CB868559B6F31AAF31C2B7DD
SHA256:76CAD9633849E2C1274D72B8F74D91A1E664348FC6621A7AE7409F4E601D6E03
3664SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\WebStream.dllexecutable
MD5:0D688C19A608B2EA853FC31BBC333BF1
SHA256:2D671C20D0415ED907CB3FE0F39597A68CBB7A60BE0F00E29C8696D7A567D2AD
3664SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\unins000.exeexecutable
MD5:088B747993D8518895FC4DBF3E19130E
SHA256:85D9C441E0CF0B6EC197F3A97AB91BB1AFA480FE91AB76B7F4A9901FCBAC780F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2172
iexplore.exe
GET
301
172.67.73.193:80
http://www.tuneskit.com/spotify-converter-for-win/user-guide.html
US
html
274 b
suspicious
3848
SpotifyConverter.exe
GET
200
172.67.73.193:80
http://tuneskit.com/api/appuser?did=AE9F45EB49B0&install_at=20221004222016&pid=321&sign=1610ae2b1a01f8c4b27ab024b56c2239&summary=TunesKit%20Spotify%20Converter(1.2.1.100),%20Windows%207%20Service%20Pack%201%20(6.1.7601)
US
binary
155 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2172
iexplore.exe
172.67.73.193:443
tuneskit.com
CLOUDFLARENET
US
suspicious
3848
SpotifyConverter.exe
172.67.73.193:80
tuneskit.com
CLOUDFLARENET
US
suspicious
2172
iexplore.exe
172.67.73.193:80
tuneskit.com
CLOUDFLARENET
US
suspicious

DNS requests

Domain
IP
Reputation
tuneskit.com
  • 172.67.73.193
  • 104.26.7.197
  • 104.26.6.197
suspicious
www.tuneskit.com
  • 172.67.73.193
  • 104.26.7.197
  • 104.26.6.197
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
Process
Message
SpotifyConverter.exe
WinSparkle: ----------------------------
SpotifyConverter.exe
WinSparkle: *** USING INSECURE URL: appcast feed from http://www.tuneskit.com/app_update_files/spotifyconverter/win_update.xml ***
SpotifyConverter.exe
WinSparkle: ----------------------------
SpotifyConverter.exe
WinSparkle: ----------------------------
SpotifyConverter.exe
WinSparkle: *** USING INSECURE URL: appcast feed from http://www.tuneskit.com/app_update_files/spotifyconverter/win_update.xml ***
SpotifyConverter.exe
WinSparkle: ----------------------------