analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

XML002118xc949263487_.zip

Full analysis: https://app.any.run/tasks/872a75da-73dd-4255-937f-d39ed60395bb
Verdict: Malicious activity
Analysis date: January 22, 2019, 21:15:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

9FB11EC2684BAA26E90364DA39CD1338

SHA1:

A6FE888516255B0C988ED121FB66ED83DD1666E9

SHA256:

693EEEFB55F29F985BA3C1A18AE8E5D96F907F79AF2BEC4F450777F987FB3A2D

SSDEEP:

48:yKA/Ro5+9uffYfCHpkbtFgqv67U3praSi3EJw1Z8Jn3htl:Gpo5/fQfukbtaDg3prHi3O08JRX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • sNC_553.exe (PID: 3976)
    • Application was dropped or rewritten from another process

      • sNC_553.exe (PID: 3976)
    • Changes settings of System certificates

      • wscript.exe (PID: 3932)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2756)
    • Changes the autorun value in the registry

      • sNC_553.exe (PID: 3976)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2884)
    • Creates files in the user directory

      • wscript.exe (PID: 3932)
    • Executable content was dropped or overwritten

      • wscript.exe (PID: 3932)
    • Creates files in the program directory

      • wscript.exe (PID: 3932)
    • Executes scripts

      • cmd.exe (PID: 2756)
    • Adds / modifies Windows certificates

      • wscript.exe (PID: 3932)
    • Disables Form Suggestion in IE

      • sNC_553.exe (PID: 3976)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs cmd.exe no specs ping.exe no specs wscript.exe cmd.exe no specs cmd.exe no specs snc_553.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XML002118xc949263487_.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2756cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2884.25222\XML002118xc.cmd" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3476ping 127.0.0.1 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3932wscript //Nologo "C:\Users\Public\admin\admin.vbs" ssaA0YSiDNV67mGTIzvcw3uDu168BmoDZdamYPcvCkX C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3644cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2884.26136\XML002118xc.cmd" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2680cmd /c ""C:\Users\admin\Desktop\XML002118xc.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3976"C:\ProgramData\sNC_553\sNC_553.exe" C:\ProgramData\sNC_553\sNC_553.exe
wscript.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware NAT Service
Version:
12.5.6 build-5528349
3392"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\XML002118xc.cmdC:\Windows\System32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
642
Read events
592
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
86
Unknown types
1

Dropped files

PID
Process
Filename
Type
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2884.25222\XML002118xc.cmdtext
MD5:12765980C91B01873AE163DC6CD42BCE
SHA256:B78AF30898B5DD984C3FA640507099C6E69B7EB5485F642A6A22A6806B885239
2756cmd.exeC:\Users\Public\admin\admin.vbstext
MD5:D7918BE083296817531F08AB125F9F75
SHA256:F9B592CEBD16D83074C23B3A887694096FB8D0568A7BFA6DAB05A78A95723528
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2884.26618\XML002118xc.cmd
MD5:
SHA256:
3932wscript.exeC:\ProgramData\sNC_553\CPSTV3NH4KUWET74KJZ09RO1MMXCTBCST
MD5:
SHA256:
3932wscript.exeC:\ProgramData\sNC_553\IKOQEKTO25RDTT0QZ4PMHUDZLBHF1
MD5:
SHA256:
3932wscript.exeC:\ProgramData\MfzZCcpf8JF62LN0CLtext
MD5:3FE701A02320A9888828B76821445BD5
SHA256:F58BED8AFCF718A4220C6313BEDCC97106DB24E9B596FE33C600830E14181C9B
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2884.26136\XML002118xc.cmdtext
MD5:12765980C91B01873AE163DC6CD42BCE
SHA256:B78AF30898B5DD984C3FA640507099C6E69B7EB5485F642A6A22A6806B885239
3932wscript.exeC:\ProgramData\software.zipcompressed
MD5:B856FC33AE899118A22BFD7BD785670F
SHA256:7DE1F9F31668C38004BBAA305CD854DC5CF0366B62CF11D1417B567C60246AAC
3932wscript.exeC:\ProgramData\sNC_553\shfolder.dllexecutable
MD5:7C40E849B2BA20E84D89CD765F0A631E
SHA256:7C493322A3A614C059EFA7BC988E2562F05E52C6613564F918B742522F748EC7
3932wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\2301[1].zipcompressed
MD5:B856FC33AE899118A22BFD7BD785670F
SHA256:7DE1F9F31668C38004BBAA305CD854DC5CF0366B62CF11D1417B567C60246AAC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3932
wscript.exe
180.250.19.130:443
www.psim.ipb.ac.id
PT Telekomunikasi Indonesia
ID
unknown

DNS requests

Domain
IP
Reputation
www.psim.ipb.ac.id
  • 180.250.19.130
unknown

Threats

No threats detected
Process
Message
sNC_553.exe
CodeSet_Init: no ICU