analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

冰影-LD7.6.zip

Full analysis: https://app.any.run/tasks/854c0d77-a16b-467e-bba5-f409a1e90c64
Verdict: Malicious activity
Analysis date: July 12, 2020, 23:00:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

12717BB161B26457D60C8889A5F8A11A

SHA1:

4DE0AC3A17370116A412A32EB535CEBDFE283F52

SHA256:

699A94781124C41CB11CFAFA3F8423B296AFA1B69E17723A06D26FD07C5314E1

SSDEEP:

196608:aFnBiQNQ0W5I7dbHp3y70Q1+VPEsP4bVqBWell6O1kiHq04snMBq:amADly7UpEsPjWm9kiHcsMY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 冰影-LD7.6.exe (PID: 3004)
      • 冰影-LD7.6.exe (PID: 2616)
      • 冰影-LD7.6.exe (PID: 2624)

    • Loads dropped or rewritten executable

      • explorer.exe (PID: 292)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3312)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: ??Ӱ-LD7.6.exe
ZipUncompressedSize: 9736192
ZipCompressedSize: 7969408
ZipCRC: 0x31c3744a
ZipModifyDate: 2020:07:06 23:16:13
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs 冰影-ld7.6.exe 冰影-ld7.6.exe wermgr.exe no specs 冰影-ld7.6.exe

Process information

PID
CMD
Path
Indicators
Parent process
3312"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\冰影-LD7.6.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
292C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2624"C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe" C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
3004"C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe" C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
2764"C:\Windows\system32\wermgr.exe" "-outproc" "292" "2760" C:\Windows\system32\wermgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2616"C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe" C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
981
Read events
840
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
292explorer.exeC:\Users\admin\AppData\Local\Temp\TabAE6D.tmp
MD5:
SHA256:
292explorer.exeC:\Users\admin\AppData\Local\Temp\{5bb56fb0-dce9-4696-887a-6056d20f740e}\appcompat.txt
MD5:
SHA256:
292explorer.exeC:\Users\admin\AppData\Local\Temp\OutofProcReport2666329.txt
MD5:
SHA256:
3312WinRAR.exeC:\Users\admin\AppData\Local\Temp\冰影-LD7.6\强制清理日志.battext
MD5:ED195DA937A463D14D50038F816C6517
SHA256:354ED183F6E544138C419C520D735358808D244FD7E6FCA9D121C3C247604B37
3312WinRAR.exeC:\Users\admin\AppData\Local\Temp\冰影-LD7.6\myd3d.dllexecutable
MD5:7C0D03B2CCF87473B9809C2EC1AD6A15
SHA256:3F966C651A622CF9D11395D07CD266E2B7671C8579A8730E05BD7DFC1226D34E
3312WinRAR.exeC:\Users\admin\AppData\Local\Temp\冰影-LD7.6\破解补丁01~Rip.exeexecutable
MD5:2B424301F1EA20F7B3C3E69C7D7F6E5F
SHA256:DDB77391D38F52F1D892F5E762D723214DB6138803515C26EC40832410650A4E
3312WinRAR.exeC:\Users\admin\AppData\Local\Temp\冰影-LD7.6\清理残留.zipcompressed
MD5:2D876B52D180518FFBDB640D6A6AF4A2
SHA256:A553B138168BBF4DC43B15745532EBF1E7CBA6C0D543157BB5768DEF43C43594
2764wermgr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_冰影-LD7.6.exe_4bf9a379673dd2a6ba88c25c292f27e8f0618a_cab_0ae4aecb\Report.werbinary
MD5:681FA9690409B16923384D4768A51328
SHA256:4E3CA709D41C16A3F4B98B8640BC35F3B6ABD00CFA6313D8054AEE495657DC27
3312WinRAR.exeC:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exeexecutable
MD5:2B5B30FF0F38A61B58FF6CC7A600BAC2
SHA256:E8E18D6E6E463F6005744BA30A8BFD1A75FD7ABE9738856F4425F4FC291BC167
2764wermgr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_冰影-LD7.6.exe_4bf9a379673dd2a6ba88c25c292f27e8f0618a_cab_0ae4aecb\appcompat.txtxml
MD5:6E50355A38C2FB8688897B88DC8B3620
SHA256:D5CB8E92D65740B4C01653F57B43AD620113E66D1EF95672DC289B571C2A8C1E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
400
WerFault.exe
GET
52.158.209.219:80
http://watson.microsoft.com/StageOne/%E5%86%B0%E5%BD%B1-LD7_6_exe/0_0_0_0/5f033ffe/%E5%86%B0%E5%BD%B1-LD7_6_exe/0_0_0_0/5f033ffe/c0000005/0000dceb.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1924
WerFault.exe
52.158.209.219:80
watson.microsoft.com
Microsoft Corporation
US
suspicious
400
WerFault.exe
52.158.209.219:80
watson.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 52.158.209.219
whitelisted

Threats

PID
Process
Class
Message
1924
WerFault.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
1924
WerFault.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
400
WerFault.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
Process
Message
冰影-LD7.6.exe
FTH: (2616): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
冰影-LD7.6.zip