analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

coonzie.rar

Full analysis: https://app.any.run/tasks/1ed3632d-bd80-4e07-ae9e-cf8027f07595
Verdict: Malicious activity
Analysis date: February 19, 2019, 04:11:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

93D5DCEAD0359638073D5D7ED32AA073

SHA1:

722A0E91EE57CB0114006C847A298F40B3E3AA17

SHA256:

7352D9CC074C066B65C37C4949FD02292822EEEC7DA6C9FE7912BBEB92194083

SSDEEP:

24576:WreLXN0LziqRPLHa8URfn3N8YNya6VWPQfxW4eH1BOKiVLRA8LE:gK0LziqRDA3HyaqWPQfunEVLRA8LE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 760)
      • Coonzie.exe (PID: 2220)
    • Application was dropped or rewritten from another process

      • Coonzie.exe (PID: 2220)
  • SUSPICIOUS

    • Starts Internet Explorer

      • Coonzie.exe (PID: 2220)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3036)
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 1860)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1860)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3796)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3796)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3796)
    • Changes internet zones settings

      • iexplore.exe (PID: 3796)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3376)
      • iexplore.exe (PID: 1860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs coonzie.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3036"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\coonzie.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
760"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2220"C:\Users\admin\Desktop\Coonzie.exe" C:\Users\admin\Desktop\Coonzie.exe
explorer.exe
User:
admin
Company:
egg
Integrity Level:
MEDIUM
Description:
Coonzie
Version:
1.0.0.0
3796"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
Coonzie.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1860"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3796 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3376C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
1 062
Read events
877
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
73
Unknown types
4

Dropped files

PID
Process
Filename
Type
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3036.2397\Bunifu_UI_v1.5.3.dll
MD5:
SHA256:
3796iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3796iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1860iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\quest[1].txt
MD5:
SHA256:
1860iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\oksdk[1].jstext
MD5:E7041094CACE12DE243AB69EC85736D5
SHA256:D3AB629C56CECDE61062379DC1140881FD050F17385E4244C28F0CF23A3C989B
1860iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\js[1]text
MD5:8D88485065617D3A271A1228B33604B1
SHA256:A626F6392F9E8C8DB001EC8A0DC6D0BACC85AED16EA7DB1475117EA39DACB917
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3036.2397\Coonzie.exeexecutable
MD5:5EB494AFA1DC62EF2B6AB5B1508F29EA
SHA256:6DBF8F1DC857C10C18C0FFD5FA35339563F72ADA1AF49915C105C5CE1006E8A0
1860iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txttext
MD5:C44A746E71F0D291B38158E5E6FBE27C
SHA256:B96631F4C73FD4A50EA9CA0B481BA098CCF8EB232678828810AD59A1EE6C860A
1860iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\quest[1].htmhtml
MD5:E27D6A92F23C1C250B1F2C333BC58C2A
SHA256:FE7A8F536FA80F6EEF53B99CA8900E87E81581B616A1681F0B9CBD3A965AB8FA
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3036.2397\WeAreDevs_API.dllexecutable
MD5:2244C2800311A7C4F2141CD1E5D162AB
SHA256:A79318C2174CA45B6DB8A2564A8679CFBEE16EC6A2FD726603BB04B15A702DDF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
31
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3796
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1860
iexplore.exe
216.58.207.78:443
apis.google.com
Google Inc.
US
whitelisted
1860
iexplore.exe
77.88.21.90:443
an.yandex.ru
YANDEX LLC
RU
whitelisted
1860
iexplore.exe
93.158.134.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
1860
iexplore.exe
172.217.18.2:443
www.googletagservices.com
Google Inc.
US
whitelisted
3796
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1860
iexplore.exe
74.125.206.156:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted
2220
Coonzie.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
1860
iexplore.exe
216.58.207.42:443
ajax.googleapis.com
Google Inc.
US
whitelisted
1860
iexplore.exe
109.234.153.51:443
setquest.com
OOO Network of data-centers Selectel
RU
unknown
1860
iexplore.exe
172.217.23.174:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
setquest.com
  • 109.234.153.51
whitelisted
apis.google.com
  • 216.58.207.78
whitelisted
www.googletagmanager.com
  • 172.217.22.8
whitelisted
ajax.googleapis.com
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 172.217.16.138
  • 172.217.22.74
  • 172.217.22.106
  • 216.58.210.10
  • 172.217.16.202
  • 172.217.18.106
  • 172.217.23.170
  • 172.217.21.202
  • 172.217.21.234
  • 172.217.22.10
  • 172.217.18.170
  • 172.217.23.138
whitelisted
vk.com
  • 87.240.129.71
  • 87.240.180.136
  • 87.240.129.133
  • 87.240.131.132
  • 87.240.190.67
whitelisted
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
mc.yandex.ru
  • 93.158.134.119
  • 87.250.250.119
  • 77.88.21.119
  • 87.250.251.119
whitelisted
www.google-analytics.com
  • 172.217.23.174
whitelisted

Threats

No threats detected
No debug info