analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Stefanie Haigis Ausgleich stornierten Buchung Ihrer Bestellung Ebay vom 13.08.2014.zip

Full analysis: https://app.any.run/tasks/23a2420b-537e-4e1c-b279-626dab295eaa
Verdict: Malicious activity
Analysis date: June 19, 2019, 09:02:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data
MD5:

9A8D90246542CDC09960615CFA376385

SHA1:

AB7E7D3EE9DB5F2231A665DE1BC11768EEBC3E9D

SHA256:

6D5A84A4E53F1F1B55DF1D2080B18FDEEC3849DCEB7234395AF8203046271B8C

SSDEEP:

3072:7sKXm7PFj8Tfo4z80y3jbxDZm6MU3+65HLqY2/tPw1:4KXmRj8Tfo4z8xlmRU3HwYStPw1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com (PID: 2360)
      • Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com (PID: 2648)
      • bestumpwjf.pre (PID: 2688)
      • jmoqqetuha.pre (PID: 3100)
    • Uses SVCHOST.EXE for hidden code execution

      • Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com (PID: 2360)
      • Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com (PID: 2648)
      • jmoqqetuha.pre (PID: 3100)
      • bestumpwjf.pre (PID: 2688)
    • Changes the autorun value in the registry

      • svchost.exe (PID: 3888)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2552)
      • WinRAR.exe (PID: 2900)
      • svchost.exe (PID: 1936)
      • svchost.exe (PID: 296)
    • Application launched itself

      • WinRAR.exe (PID: 2320)
    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2552)
      • svchost.exe (PID: 1936)
      • WinRAR.exe (PID: 2900)
      • svchost.exe (PID: 296)
    • Creates files in the user directory

      • svchost.exe (PID: 3888)
    • Uses TASKKILL.EXE to kill process

      • svchost.exe (PID: 2440)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 16
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2014:08:13 11:05:22
ZipCRC: 0x225a1159
ZipCompressedSize: 98916
ZipUncompressedSize: 98916
ZipFileName: Ausgleich stornierten Zahlung Ihrer Bestellung Ebay vom 13.08.2014.zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
12
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe no specs winrar.exe winrar.exe ausgleich 13.08.2014 - rechtsanwalt ebay gmbh.com no specs ausgleich 13.08.2014 - rechtsanwalt ebay gmbh.com no specs svchost.exe svchost.exe bestumpwjf.pre no specs jmoqqetuha.pre no specs svchost.exe svchost.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2320"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Stefanie Haigis Ausgleich stornierten Buchung Ihrer Bestellung Ebay vom 13.08.2014.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2552"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2320.45216\Ausgleich stornierten Zahlung Ihrer Bestellung Ebay vom 13.08.2014.zip"C:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2320.45436\Ausgleich stornierten Zahlung Ihrer Bestellung Ebay vom 13.08.2014.zip"C:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2360"C:\Users\admin\AppData\Local\Temp\Rar$DIa2552.46071\Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com" C:\Users\admin\AppData\Local\Temp\Rar$DIa2552.46071\Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.comWinRAR.exe
User:
admin
Company:
VMware
Integrity Level:
MEDIUM
Exit code:
0
Version:
9.3.1.4
2648"C:\Users\admin\AppData\Local\Temp\Rar$DIa2900.46802\Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com" C:\Users\admin\AppData\Local\Temp\Rar$DIa2900.46802\Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.comWinRAR.exe
User:
admin
Company:
VMware
Integrity Level:
MEDIUM
Exit code:
0
Version:
9.3.1.4
1936svchost.exeC:\Windows\system32\svchost.exe
Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
296svchost.exeC:\Windows\system32\svchost.exe
Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2688C:\Users\admin\AppData\Local\Temp\bestumpwjf.preC:\Users\admin\AppData\Local\Temp\bestumpwjf.presvchost.exe
User:
admin
Company:
VMware
Integrity Level:
MEDIUM
Exit code:
0
Version:
9.3.1.4
3100C:\Users\admin\AppData\Local\Temp\jmoqqetuha.preC:\Users\admin\AppData\Local\Temp\jmoqqetuha.presvchost.exe
User:
admin
Company:
VMware
Integrity Level:
MEDIUM
Exit code:
0
Version:
9.3.1.4
3888svchost.exeC:\Windows\system32\svchost.exe
bestumpwjf.pre
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 309
Read events
1 269
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3888svchost.exeC:\Users\admin\AppData\Roaming\Pkoegbv\qimtkjmn.exe
MD5:
SHA256:
2320WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2320.45436\Ausgleich stornierten Zahlung Ihrer Bestellung Ebay vom 13.08.2014.zipcompressed
MD5:D298CD98C102EEE0E7DE7856754226A9
SHA256:9E3593E1973E2497B79E12A67BC19600F48AB82B8552C9D674790C11230C62DD
2320WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2320.45216\Ausgleich stornierten Zahlung Ihrer Bestellung Ebay vom 13.08.2014.zipcompressed
MD5:D298CD98C102EEE0E7DE7856754226A9
SHA256:9E3593E1973E2497B79E12A67BC19600F48AB82B8552C9D674790C11230C62DD
3888svchost.exeC:\Users\admin\AppData\Local\Temp\~44454134.tmpbinary
MD5:F3DDCAC96009D0D3E6E8C0CE5B461DD7
SHA256:DA531B23F2884A8813C67B45FD3E07FB3BF426DEB735915319A5C069D870C400
2552WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2552.46071\Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.comexecutable
MD5:887C83EB2AF7519BFC24A9D81D4FC42C
SHA256:9EDB033189DBDDC3DDF087BEB68B286724312B8F229FE3C21B4C70176072F7EC
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2900.46802\Ausgleich 13.08.2014 - Rechtsanwalt Ebay GmbH.comexecutable
MD5:887C83EB2AF7519BFC24A9D81D4FC42C
SHA256:9EDB033189DBDDC3DDF087BEB68B286724312B8F229FE3C21B4C70176072F7EC
1936svchost.exeC:\Users\admin\AppData\Local\Temp\bestumpwjf.preexecutable
MD5:887C83EB2AF7519BFC24A9D81D4FC42C
SHA256:9EDB033189DBDDC3DDF087BEB68B286724312B8F229FE3C21B4C70176072F7EC
296svchost.exeC:\Users\admin\AppData\Local\Temp\jmoqqetuha.preexecutable
MD5:887C83EB2AF7519BFC24A9D81D4FC42C
SHA256:9EDB033189DBDDC3DDF087BEB68B286724312B8F229FE3C21B4C70176072F7EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info