analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Engineering,+Procurement,+Construction+for+Samgori+South+Dome+Underground+Gas+Storage+Project.zip

Full analysis: https://app.any.run/tasks/61ea987a-9977-4e6f-92ad-fa3cecf78b0f
Verdict: Malicious activity
Analysis date: March 31, 2020, 09:31:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

298B2AE3182376128208FE47A16F8984

SHA1:

6B9198E10308875B4C2419A755E19BEA19EA3469

SHA256:

6B18BC001E7207EE9B60AD87DE0854D441FD0EC53752FAA66FBAD160E7E53522

SSDEEP:

12288:ChDGz/rhaXmH2h/zGWTfVpeDvpaGCKnMcYfQWK6VjzGQegp9F174S478K6G:Y6z/F4mH2FrT/eDvpaGM4oVjzGQeg3FC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3196)
      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3036)
    • Actions looks like stealing of personal data

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3196)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3172)
    • Reads the cookies of Google Chrome

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3196)
    • Creates files in the user directory

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3196)
    • Reads the cookies of Mozilla Firefox

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3196)
    • Reads Environment values

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3196)
    • Connects to SMTP port

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3196)
  • INFO

    • Manual execution by user

      • Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe (PID: 3036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:03:31 02:17:01
ZipCRC: 0xdbb01f75
ZipCompressedSize: 621116
ZipUncompressedSize: 1006080
ZipFileName: Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe engineering, procurement, construction for samgori south dome underground gas storage project.exe engineering, procurement, construction for samgori south dome underground gas storage project.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Engineering,+Procurement,+Construction+for+Samgori+South+Dome+Underground+Gas+Storage+Project.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3196"C:\Users\admin\AppData\Local\Temp\Rar$EXa3172.45190\Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3172.45190\Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe
WinRAR.exe
User:
admin
Company:
Sakysoft s.r.l.
Integrity Level:
MEDIUM
Description:
Prevented Artist 1998
Version:
1.5.6.1
3036"C:\Users\admin\Desktop\Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe" C:\Users\admin\Desktop\Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exeexplorer.exe
User:
admin
Company:
Sakysoft s.r.l.
Integrity Level:
MEDIUM
Description:
Prevented Artist 1998
Exit code:
4294967295
Version:
1.5.6.1
Total events
515
Read events
492
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3172WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3172.46514\Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe
MD5:
SHA256:
3196Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exeC:\Users\admin\AppData\Roaming\opiemij2.l2u\Firefox\Profiles\qldyz51w.default\cookies.sqlitesqlite
MD5:7C426E0FC19063A433349CE713DA84A0
SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C
3172WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3172.45190\Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exeexecutable
MD5:9EDD0D824A3E5FBE88A388D38B98926B
SHA256:B43F87AD313A0F490642ABAA3C0CD50D6DE97312BEF505D34919A0096A1C2FD0
3196Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exeC:\Users\admin\AppData\Roaming\opiemij2.l2u.zipcompressed
MD5:08EEA8CCF9F58DE7CD788C054DBB8E19
SHA256:3E87362F8DB8291A38EF2D5D44058C7F029A42E8947413B7282875B16F4555DF
3196Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exeC:\Users\admin\AppData\Roaming\opiemij2.l2u\Chrome\Default\Cookiessqlite
MD5:DD9640AF5F03807CF2E3921CBA16AF0D
SHA256:ECF72C454FEF08C5948A565464839A554567E499F995483D6C8B54B32EA2C5F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe
77.88.21.158:587
smtp.yandex.com
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
smtp.yandex.com
  • 77.88.21.158
shared

Threats

PID
Process
Class
Message
3196
Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3196
Engineering, Procurement, Construction for Samgori South Dome Underground Gas Storage Project.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info