analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.zip

Full analysis: https://app.any.run/tasks/7c1ac9f8-4dd2-4d14-b4c4-052f1b17d772
Verdict: Malicious activity
Analysis date: January 17, 2020, 19:04:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D2E41C24C0ED4A673CF531DBF86FE661

SHA1:

4364C0CB16DE2E53D622207B022E0256EC80F803

SHA256:

6A056124300512066DD5894A36BA0C6C18D60E5617BA3BCBF8D595B3EEC6B6B4

SSDEEP:

98304:Ld2EgbacXP80VlECu8RkBaolRbGVINkNC7/P2EBTOrfLVMpl55EmURncmNTd:Ld5tGzlECuekBaofbGNCrtO7a750ppNR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • JavaSetup8u241.exe (PID: 1028)
      • JavaSetup.exe (PID: 2604)
      • JavaSetup.exe (PID: 2840)
      • windows.exe (PID: 252)
      • JavaSetup.exe (PID: 1916)
      • Pictures.exe (PID: 2440)

    • Writes to a start menu file

      • windows.exe (PID: 252)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • JavaSetup8u241.exe (PID: 1028)
      • WinRAR.exe (PID: 2720)
      • Pictures.exe (PID: 2440)
      • JavaSetup.exe (PID: 1916)

    • Creates files in the program directory

      • JavaSetup8u241.exe (PID: 1028)
      • Pictures.exe (PID: 2440)

    • Creates files in the user directory

      • windows.exe (PID: 252)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2440)

    • Executes scripts

      • windows.exe (PID: 252)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2484)

    • Reads internet explorer settings

      • JavaSetup.exe (PID: 2840)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2440)

  • INFO

    • Manual execution by user

      • JavaSetup8u241.exe (PID: 1028)
      • javaw.exe (PID: 2832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Lazyscan 1.7/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:01:17 20:12:20
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
12
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe javasetup8u241.exe pictures.exe javasetup.exe no specs windows.exe wscript.exe no specs cmd.exe no specs reg.exe no specs attrib.exe no specs javasetup.exe javasetup.exe javaw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1028"C:\Users\admin\Desktop\Lazyscan 1.7\JavaSetup8u241.exe" C:\Users\admin\Desktop\Lazyscan 1.7\JavaSetup8u241.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2440"C:\ProgramData\Pictures.exe" C:\ProgramData\Pictures.exe
JavaSetup8u241.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2604"C:\ProgramData\JavaSetup.exe" C:\ProgramData\JavaSetup.exeJavaSetup8u241.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java Platform SE binary
Exit code:
3221226540
Version:
8.0.2410.7
252"C:\ProgramData\Adobe\windows.exe" C:\ProgramData\Adobe\windows.exe
Pictures.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2484"C:\Windows\System32\WScript.exe" "C:\ProgramData\Adobe\windows.vbs" C:\Windows\System32\WScript.exewindows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2440cmd /c ""C:\ProgramData\Adobe\Disables.cmd" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1876reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
964attrib +s +h C:\ProgramData\AdobeC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1916"C:\ProgramData\JavaSetup.exe" C:\ProgramData\JavaSetup.exe
JavaSetup8u241.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java Platform SE binary
Version:
8.0.2410.7
Total events
727
Read events
674
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
0
Text files
124
Unknown types
11

Dropped files

PID
Process
Filename
Type
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\Lazyscan 1.7\lazyssh.jar
MD5:
SHA256:
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\Lazyscan 1.7\lib\jsch-0.1.51.jar
MD5:
SHA256:
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\Lazyscan 1.7\lib\mysql-connector-java-5.1.33-bin.jar
MD5:
SHA256:
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\Lazyscan 1.7\lib\zip4j_1.3.2.jar
MD5:
SHA256:
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\Lazyscan 1.7\Logs\LIVE.txt
MD5:
SHA256:
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\Lazyscan 1.7\Logs\WRONG.txt
MD5:
SHA256:
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\Lazyscan 1.7\UserPassList.txt
MD5:
SHA256:
1028JavaSetup8u241.exeC:\ProgramData\Pictures.exeexecutable
MD5:F825C1CFBC54E9650B0978E15C54CA50
SHA256:F085032C1EAAEA6975A2034240308B1BE8BEBB20C74B1E0BB2D3F55F9AA54698
2720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2720.42148\Lazyscan 1.7\JavaSetup8u241.exeexecutable
MD5:75386627EEBE03A84BCA4114D4ACBB90
SHA256:ACF35B7AA82C07594C996B553A29E464D8FFD1E5C7BB4DB3BA0FBB3E89F4CE9D
2440Pictures.exeC:\ProgramData\Adobe\explorer.lnklnk
MD5:B740E3E72DA4B6BCBC02E2976A8D2EFC
SHA256:CABEF05A808B724DDBF3BF6B5585C133FF9B85F30910BBA36EC9814B1E51ED47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2840
JavaSetup.exe
2.19.41.212:443
javadl.oracle.com
Akamai International B.V.
whitelisted
2840
JavaSetup.exe
95.100.141.142:443
javadl-esd-secure.oracle.com
Akamai Technologies, Inc.
unknown

DNS requests

Domain
IP
Reputation
javadl-esd-secure.oracle.com
  • 95.100.141.142
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
javadl.oracle.com
  • 2.19.41.212
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.zip