analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2oi7.cn3vrt.rsptify1.2.1.zip

Full analysis: https://app.any.run/tasks/375d487d-75b5-4b95-b0d6-b3acc51bf3b7
Verdict: Malicious activity
Analysis date: October 04, 2022, 21:17:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

18ACE70B892558B892013F8CEB43B606

SHA1:

886977A71BF963C5A69006AD248CB0E55D68E1C7

SHA256:

601FEB7803DD08DBFBDC61C060CA408A2EF35859EC1605DB0E0BDCA02E2D39CA

SSDEEP:

49152:OT69/lxHwmgCaZO8BMQo5Ftqwuj/8YqN0j+Gks+dkBQSw5/8O:OGbxHwHMTtqwuWN0jCoBQSwxl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3392)
      • SpotifyConverter.exe (PID: 3140)
      • SpotifyConverter.tmp (PID: 1744)
      • Patch.exe (PID: 2356)
    • Application was dropped or rewritten from another process

      • SpotifyConverter.exe (PID: 3844)
      • SpotifyConverter.exe (PID: 3140)
      • Patch.exe (PID: 3640)
      • Patch.exe (PID: 2356)
      • SpotifyConverter.exe (PID: 868)
    • Loads dropped or rewritten executable

      • SpotifyConverter.exe (PID: 868)
      • Patch.exe (PID: 2356)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3392)
      • SpotifyConverter.tmp (PID: 1744)
      • Patch.exe (PID: 2356)
      • SpotifyConverter.exe (PID: 868)
    • Checks supported languages

      • WinRAR.exe (PID: 3392)
      • SpotifyConverter.exe (PID: 3140)
      • SpotifyConverter.tmp (PID: 1744)
      • Patch.exe (PID: 2356)
      • SpotifyConverter.exe (PID: 868)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3392)
      • SpotifyConverter.exe (PID: 3140)
      • SpotifyConverter.tmp (PID: 1744)
      • Patch.exe (PID: 2356)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3392)
      • SpotifyConverter.exe (PID: 3140)
      • SpotifyConverter.tmp (PID: 1744)
      • Patch.exe (PID: 2356)
    • Reads Windows owner or organization settings

      • SpotifyConverter.tmp (PID: 1744)
    • Reads the Windows organization settings

      • SpotifyConverter.tmp (PID: 1744)
    • Creates a directory in Program Files

      • SpotifyConverter.tmp (PID: 1744)
    • Creates files in the user directory

      • SpotifyConverter.tmp (PID: 1744)
      • SpotifyConverter.exe (PID: 868)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2292)
      • SpotifyConverter.exe (PID: 868)
    • Starts Internet Explorer

      • SpotifyConverter.tmp (PID: 1744)
    • Creates files in the program directory

      • Patch.exe (PID: 2356)
    • Reads internet explorer settings

      • SpotifyConverter.exe (PID: 868)
  • INFO

    • Checks supported languages

      • NOTEPAD.EXE (PID: 2792)
      • iexplore.exe (PID: 2292)
      • iexplore.exe (PID: 680)
      • explorer.exe (PID: 3372)
    • Manual execution by user

      • SpotifyConverter.exe (PID: 3140)
      • SpotifyConverter.exe (PID: 3844)
      • Patch.exe (PID: 2356)
      • Patch.exe (PID: 3640)
      • explorer.exe (PID: 3372)
      • SpotifyConverter.exe (PID: 868)
    • Application was dropped or rewritten from another process

      • SpotifyConverter.tmp (PID: 1744)
    • Creates a software uninstall entry

      • SpotifyConverter.tmp (PID: 1744)
    • Creates files in the program directory

      • SpotifyConverter.tmp (PID: 1744)
    • Reads the computer name

      • iexplore.exe (PID: 680)
      • iexplore.exe (PID: 2292)
      • explorer.exe (PID: 3372)
    • Changes internet zones settings

      • iexplore.exe (PID: 680)
    • Application launched itself

      • iexplore.exe (PID: 680)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2292)
      • SpotifyConverter.exe (PID: 868)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2292)
      • SpotifyConverter.exe (PID: 868)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe notepad.exe no specs spotifyconverter.exe no specs spotifyconverter.exe spotifyconverter.tmp iexplore.exe no specs iexplore.exe explorer.exe no specs patch.exe no specs patch.exe spotifyconverter.exe

Process information

PID
CMD
Path
Indicators
Parent process
3392"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\2oi7.cn3vrt.rsptify1.2.1.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2792"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa3392.40750\instructions.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3844"C:\Users\admin\Desktop\SpotifyConverter.exe" C:\Users\admin\Desktop\SpotifyConverter.exeExplorer.EXE
User:
admin
Company:
TunesKit, Inc.
Integrity Level:
MEDIUM
Description:
TunesKit Spotify Converter Setup
Exit code:
3221226540
Version:
1.2.1.100
Modules
Images
c:\users\admin\desktop\spotifyconverter.exe
c:\windows\system32\ntdll.dll
3140"C:\Users\admin\Desktop\SpotifyConverter.exe" C:\Users\admin\Desktop\SpotifyConverter.exe
Explorer.EXE
User:
admin
Company:
TunesKit, Inc.
Integrity Level:
HIGH
Description:
TunesKit Spotify Converter Setup
Exit code:
0
Version:
1.2.1.100
Modules
Images
c:\users\admin\desktop\spotifyconverter.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
1744"C:\Users\admin\AppData\Local\Temp\is-S43S2.tmp\SpotifyConverter.tmp" /SL5="$7012A,1609185,134144,C:\Users\admin\Desktop\SpotifyConverter.exe" C:\Users\admin\AppData\Local\Temp\is-S43S2.tmp\SpotifyConverter.tmp
SpotifyConverter.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-s43s2.tmp\spotifyconverter.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files\Internet Explorer\iexplore.exe" http://www.tuneskit.com/spotify-converter-for-win/user-guide.htmlC:\Program Files\Internet Explorer\iexplore.exeSpotifyConverter.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2292"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:680 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
3372"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3640"C:\Program Files\TunesKit Spotify Converter\Patch.exe" C:\Program Files\TunesKit Spotify Converter\Patch.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\tuneskit spotify converter\patch.exe
c:\windows\system32\ntdll.dll
2356"C:\Program Files\TunesKit Spotify Converter\Patch.exe" C:\Program Files\TunesKit Spotify Converter\Patch.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Modules
Images
c:\program files\tuneskit spotify converter\patch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
Total events
10 599
Read events
10 408
Write events
0
Delete events
0

Modification events

No data
Executable files
19
Suspicious files
7
Text files
132
Unknown types
11

Dropped files

PID
Process
Filename
Type
3392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3392.40525\Patch.exeexecutable
MD5:43DF18B1EC765D05B604CA8087054D80
SHA256:C8BCC42E819EA0D0131DAE43C16EDC0EECBDE80A01C838DA9DBAA26255DC6E96
1744SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\SpotifyConverter.exeexecutable
MD5:881C29C9CB868559B6F31AAF31C2B7DD
SHA256:76CAD9633849E2C1274D72B8F74D91A1E664348FC6621A7AE7409F4E601D6E03
1744SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\ConvertLibrary.dllexecutable
MD5:2DB94CFBE89DF4B165E53EB77962E000
SHA256:5B28329963F548AF9304B9F4801437F978133359EF9DE7473D7F15E053A10F8F
1744SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\is-96TC6.tmpexecutable
MD5:2DB94CFBE89DF4B165E53EB77962E000
SHA256:5B28329963F548AF9304B9F4801437F978133359EF9DE7473D7F15E053A10F8F
3392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3392.40750\instructions.txttext
MD5:6595EC68C031B7ACB2BB46D41AA4606F
SHA256:2E6E55C082CC759C19ED55A9B342628FBDE2FEA2C36B7F4BFF2D78E57191334D
3392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3392.40525\Visit - PirateCity.NET.urlurl
MD5:84FDEBE5032C3E8D87892D8637475465
SHA256:90209D2C9B1EB8A48340D65B28E972043E280BA7107EB072A154BED87F4EE1A3
3392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3392.40525\SpotifyConverter.exeexecutable
MD5:F40F93D6332DF1FF057B89C8E84DAB26
SHA256:565A33F00D71F1464C60FC4BC830389F8629B3D425D56CD50872854EAC6D4745
1744SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\is-GMPHI.tmpexecutable
MD5:881C29C9CB868559B6F31AAF31C2B7DD
SHA256:76CAD9633849E2C1274D72B8F74D91A1E664348FC6621A7AE7409F4E601D6E03
3140SpotifyConverter.exeC:\Users\admin\AppData\Local\Temp\is-S43S2.tmp\SpotifyConverter.tmpexecutable
MD5:C1306F4050827812118ED15C45B1D9EC
SHA256:1CE8C4374D8B8C37DD7681C54B47A38C26C4203A1755520624DEA91C7B9308FB
1744SpotifyConverter.tmpC:\Program Files\TunesKit Spotify Converter\WinSparkle.dllexecutable
MD5:51AA45D5F9DDC28BCEAB746DD4A46A3F
SHA256:44C2ED7544D72650B3591D9A4523F7C72FDAEF2A98681F67F301290D3B788B35
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2292
iexplore.exe
GET
301
172.67.73.193:80
http://www.tuneskit.com/spotify-converter-for-win/user-guide.html
US
html
274 b
suspicious
2292
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
868
SpotifyConverter.exe
GET
301
172.67.73.193:80
http://www.tuneskit.com/app_update_files/spotifyconverter/win_update.xml
US
html
281 b
suspicious
868
SpotifyConverter.exe
GET
200
104.26.6.197:80
http://tuneskit.com/api/appuser?did=618800AEABCA&install_at=20221004221857&pid=321&sign=53768175cb5746cb4851b4d0d6cbee09&summary=TunesKit%20Spotify%20Converter(1.2.1.100),%20Windows%207%20Service%20Pack%201%20(6.1.7601)
US
binary
155 b
suspicious
2292
iexplore.exe
GET
200
8.238.189.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fb80389f517f0321
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2292
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2292
iexplore.exe
172.67.73.193:80
www.tuneskit.com
CLOUDFLARENET
US
suspicious
868
SpotifyConverter.exe
172.67.73.193:80
www.tuneskit.com
CLOUDFLARENET
US
suspicious
2292
iexplore.exe
8.238.189.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
868
SpotifyConverter.exe
104.26.6.197:80
www.tuneskit.com
CLOUDFLARENET
US
suspicious
2292
iexplore.exe
188.114.96.3:443
www.viwizard.com
CLOUDFLARENET
NL
malicious
2292
iexplore.exe
172.67.73.193:443
www.tuneskit.com
CLOUDFLARENET
US
suspicious
868
SpotifyConverter.exe
172.67.73.193:443
www.tuneskit.com
CLOUDFLARENET
US
suspicious

DNS requests

Domain
IP
Reputation
www.tuneskit.com
  • 172.67.73.193
  • 104.26.6.197
  • 104.26.7.197
suspicious
ctldl.windowsupdate.com
  • 8.238.189.126
  • 67.26.75.254
  • 8.248.143.254
  • 8.253.204.121
  • 8.253.207.120
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.viwizard.com
  • 188.114.96.3
  • 188.114.97.3
malicious
tuneskit.com
  • 104.26.6.197
  • 172.67.73.193
  • 104.26.7.197
suspicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
SpotifyConverter.exe
WinSparkle: ----------------------------
SpotifyConverter.exe
WinSparkle: *** USING INSECURE URL: appcast feed from http://www.tuneskit.com/app_update_files/spotifyconverter/win_update.xml ***
SpotifyConverter.exe
WinSparkle: ----------------------------
SpotifyConverter.exe
WinSparkle: ----------------------------
SpotifyConverter.exe
WinSparkle: *** USING INSECURE URL: appcast feed from http://www.tuneskit.com/app_update_files/spotifyconverter/win_update.xml ***
SpotifyConverter.exe
WinSparkle: ----------------------------