| File name: | AlZip.exe |
| Full analysis: | https://app.any.run/tasks/d29532cd-cdc7-42a0-a884-dd11b2f1411b |
| Verdict: | Malicious activity |
| Analysis date: | February 25, 2024, 03:37:29 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 7BC322D95951DFE16E8CF47EE586E909 |
| SHA1: | 8C869A4B57A47CE0E9C578A33413F125D58DBC47 |
| SHA256: | 6BF4879E15B5E25B35144FE4E136705AFB501B21F78EB1CACF45618A1452D272 |
| SSDEEP: | 49152:E7rbmhgP5cP3q5EAL6MaGlIgjCskBziPh0RBIloxzVo7T1IWSKcg6ZDsj1A+oUN4:crihgP5cP3qmVd1CaBsnSZg6ZDsxOmhm |
MALICIOUS
Creates a writable file in the system directory
- AlZip.exe (PID: 3668)
Drops the executable file immediately after the start
- AlZip.exe (PID: 3668)
SUSPICIOUS
Executable content was dropped or overwritten
- AlZip.exe (PID: 3668)
Process drops legitimate windows executable
- AlZip.exe (PID: 3668)
INFO
Checks supported languages
- AlZip.exe (PID: 3668)
Reads the computer name
- AlZip.exe (PID: 3668)
Creates files or folders in the user directory
- AlZip.exe (PID: 3668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (49.4) |
|---|---|---|
| .scr | | | Windows screen saver (23.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (11.7) |
| .exe | | | Win32 Executable (generic) (8) |
| .exe | | | Generic Win/DOS Executable (3.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1999:06:07 09:10:54+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 40960 |
| InitializedDataSize: | 20480 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x02a8 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3668 | "C:\Users\admin\AppData\Local\Temp\AlZip.exe" | C:\Users\admin\AppData\Local\Temp\AlZip.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
882
Read events
878
Write events
4
Delete events
0
Modification events
| (PID) Process: | (3668) AlZip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Windows\system32\unace.dll |
Value: 1 | |||
| (PID) Process: | (3668) AlZip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Windows\system32\unrar.dll |
Value: 1 | |||
| (PID) Process: | (3668) AlZip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Windows\system32\cabinet.dll |
Value: 1 | |||
| (PID) Process: | (3668) AlZip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ESTSOFT\AlZip\1.0 |
| Operation: | write | Name: | RootDir |
Value: c:\Program Files\AlZip | |||
Executable files
9
Suspicious files
2
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3668 | AlZip.exe | — | ||
MD5:— | SHA256:— | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\AlZipSFX.$A | executable | |
MD5:58F6EAB018E76839C7851F01064E5E0F | SHA256:1F7D05473E0EEA270EF38F5E4748CE2177D9C0A72D546FCB0C0B5C1804BA561F | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\System32\zipSFX.$A | executable | |
MD5:A532650392D3A85805276A8DA4AF31AE | SHA256:AB17AF60CAE6249B17B8D5B8B98D78C4C48E4086D16712744FB81918A223F1FA | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\Alzip.$A | executable | |
MD5:DC9230367FD6678E9C06C99FBBD1B0E6 | SHA256:94ADFA6C8E091E3485F9C6C6704E4E950306DCCAEAAF1BDD4DE34A1C99BB4C9C | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\¾ËÁýÀÇ ¹ßÀÚÃë.$A | text | |
MD5:FD115EA5ECF7ADD6E3D75DA39B071211 | SHA256:638C173B99FB7FAD5F6C83FA17D3F666A65749DFF8C208B6543AC556F0679014 | |||
| 3668 | AlZip.exe | C:\Windows\System32\zipSFX.BIN | executable | |
MD5:A532650392D3A85805276A8DA4AF31AE | SHA256:AB17AF60CAE6249B17B8D5B8B98D78C4C48E4086D16712744FB81918A223F1FA | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\System32\unrar.$A | executable | |
MD5:0D509B000ED82223628C303FD49C2022 | SHA256:FACB32D617482B60A27472570449A2DD8B0B77B88BA6EE2D4C7F2952CCB8F119 | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\System32\cabinet.$A | executable | |
MD5:CDA28BAC44C11148122C972BF52A82CC | SHA256:00C9B077543A656D36B71BA3E5A95627951BB110C24303B22D307A63B11E35AB | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\¾ËÁý ¼³¸í¼.$A | text | |
MD5:50BD2657121A622781C7A27E5BAD642E | SHA256:5BE71ED15B6EA6DC34E938BC7C909A5B1F53BA04A0173D81A34B57E1C6F31FD0 | |||
| 3668 | AlZip.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\Àо¼¼¿ä.$A | text | |
MD5:6C09A61D1B58E4DF2F85DE3CFAC89256 | SHA256:4CC854AB3D268767CBF84BFDA82CEE7428D5B22E7E42C23186BAD44503647C76 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |