File name:

2773e3dc59472296cb0024ba7715a64e.zip

Full analysis: https://app.any.run/tasks/2dd14b4c-451e-4c5c-a0a4-d517ecff0d73
Verdict: Malicious activity
Analysis date: June 28, 2023, 02:06:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B877491211BFCFF842912FD055588799

SHA1:

D19E7A79B08BAE01B00AC447F6CFD236EF055474

SHA256:

6D230F1F3A10F78741545A9D6FBD43BBB0A6A55FEFCA245760D5DB92AC3CC1CD

SSDEEP:

3072:aAYjkooRsGE5zhcE+MhDcOHhcrD3gmsn7Hbt2edV0OI9Oez9DB4v/RfPE+5ApuPw:zY4/Ezz+ML2q7kvNcezVavJdZP/B8ccT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
      • drpbx.exe (PID: 1808)
      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3696)
    • Changes the autorun value in the registry

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3696)
  • SUSPICIOUS

    • Reads the Internet Settings

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
    • Starts itself from another location

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
    • Executable content was dropped or overwritten

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
  • INFO

    • The process checks LSA protection

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
      • drpbx.exe (PID: 1808)
      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3696)
    • Reads the machine GUID from the registry

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
      • drpbx.exe (PID: 1808)
      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3696)
    • Reads the computer name

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3696)
    • Checks supported languages

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
      • drpbx.exe (PID: 1808)
      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3696)
    • Manual execution by a user

      • WINWORD.EXE (PID: 4004)
      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3696)
      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
    • Creates files or folders in the user directory

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 3912)
    • Creates files in the program directory

      • drpbx.exe (PID: 1808)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2016:04:13 18:02:34
ZipCRC: 0x3c351d58
ZipCompressedSize: 242871
ZipUncompressedSize: 290304
ZipFileName: 2773e3dc59472296cb0024ba7715a64e.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe 2773e3dc59472296cb0024ba7715a64e.exe drpbx.exe no specs winword.exe no specs 2773e3dc59472296cb0024ba7715a64e.exe

Process information

PID
CMD
Path
Indicators
Parent process
3524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2773e3dc59472296cb0024ba7715a64e.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3912"C:\Users\admin\Desktop\2773e3dc59472296cb0024ba7715a64e.exe" C:\Users\admin\Desktop\2773e3dc59472296cb0024ba7715a64e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
37.0.2.5583
Modules
Images
c:\users\admin\desktop\2773e3dc59472296cb0024ba7715a64e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1808"C:\Users\admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\admin\Desktop\2773e3dc59472296cb0024ba7715a64e.exeC:\Users\admin\AppData\Local\Drpbx\drpbx.exe2773e3dc59472296cb0024ba7715a64e.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Version:
37.0.2.5583
Modules
Images
c:\users\admin\appdata\local\drpbx\drpbx.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4004"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\etadministration.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3696"C:\Users\admin\Desktop\2773e3dc59472296cb0024ba7715a64e.exe" C:\Users\admin\Desktop\2773e3dc59472296cb0024ba7715a64e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
37.0.2.5583
Modules
Images
c:\users\admin\desktop\2773e3dc59472296cb0024ba7715a64e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
7 402
Read events
7 207
Write events
52
Delete events
143

Modification events

(PID) Process:(3524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3912) 2773e3dc59472296cb0024ba7715a64e.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
382
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR507A.tmp.cvr
MD5:
SHA256:
39122773e3dc59472296cb0024ba7715a64e.exeC:\Users\admin\AppData\Roaming\Frfx\firefox.exeexecutable
MD5:2773E3DC59472296CB0024BA7715A64E
SHA256:3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7
39122773e3dc59472296cb0024ba7715a64e.exeC:\Users\admin\AppData\Local\Drpbx\drpbx.exeexecutable
MD5:2773E3DC59472296CB0024BA7715A64E
SHA256:3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7
1808drpbx.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\AccessMUI.xml.funbinary
MD5:28441B8C917510D970D6180D613CE8E0
SHA256:5965C7D4E0173C8DFB8F976D47B0EC3FC8D3FF2200B39155E1440D7EDDA7CC53
4004WINWORD.EXEC:\Users\admin\Desktop\~$administration.rtfbinary
MD5:ABDE4DC920251DFA9349A37F0632E1E1
SHA256:6A6C5C36FADB7E444ABB3D231411EA8810401CF690075D5C9269A80D312E8211
1808drpbx.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\branding.xml.funbinary
MD5:4DB4DDE56A7D1D8B4BA2487F3834F59B
SHA256:5E665BA65BA94CDA7C8775B6D64877691B8C28F3714FF0FDF354905D5EA0CCBC
1808drpbx.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\Setup.xml.funbinary
MD5:9D19D98D71BBB006AED9379F74906F6B
SHA256:E32F5C1558986B99421C3F197F1FEFDF2CB485693FF4AD4963904CBBBEBB9574
4004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:B7F156A5A19F720D86DB4C51040A2749
SHA256:48AC94B46551C504BDEAEF5CA1F2A832C2C539F522343701AF964A9DB32088F6
1808drpbx.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\branding.xml.funbinary
MD5:AF3B47EE3239EE27A36DF974BA6FF35A
SHA256:FD6C354E84802174AB77076F4167F39BD68CAB971EC46A80000BDB8150F05CF5
1808drpbx.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml.funbinary
MD5:C004E8491FF15DE08F1FA4E4C998A799
SHA256:11F36C2CDDB7ACFBE430A304D826F2D3921826B33B08A9A82624AD6ADB3D3C74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
292
svchost.exe
239.255.255.250:1900
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info