File name:

7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015

Full analysis: https://app.any.run/tasks/4e07790e-bf63-425f-bbc0-bb779a0b94ca
Verdict: Malicious activity
Analysis date: April 19, 2024, 09:01:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

09BFF35C5CDB1B96B3F4DB7A3AC61C11

SHA1:

D54828E023E1D5C39D9392F0EC95C0D102877EA6

SHA256:

7966EE1AE9042E7345A55AA98DDEB4F39133216438D67461C7EE39864292E015

SSDEEP:

98304:EPcpEiDsIYLB8R9L99LmW3oHUHPdA5n2olZs8jv0RdP+cCHkvFVJ8eBMD5SgoC4/:YAOR7W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1196)
      • Advanced-ip-scanner.exe (PID: 3876)

    • Starts CMD.EXE for self-deleting

      • Advanced-ip-scanner.exe (PID: 3876)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1196)
      • Advanced-ip-scanner.exe (PID: 3876)

    • Starts a Microsoft application from unusual location

      • Advanced-ip-scanner.exe (PID: 2296)
      • Advanced-ip-scanner.exe (PID: 3876)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1196)

    • Application launched itself

      • Advanced-ip-scanner.exe (PID: 2296)

    • Executable content was dropped or overwritten

      • Advanced-ip-scanner.exe (PID: 3876)

    • Starts CMD.EXE for commands execution

      • Advanced-ip-scanner.exe (PID: 3876)

    • Hides command output

      • cmd.exe (PID: 2740)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2740)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1196)

    • Checks supported languages

      • Advanced-ip-scanner.exe (PID: 2296)
      • Advanced-ip-scanner.exe (PID: 3876)

    • Reads the computer name

      • Advanced-ip-scanner.exe (PID: 2296)
      • Advanced-ip-scanner.exe (PID: 3876)

    • Reads the machine GUID from the registry

      • Advanced-ip-scanner.exe (PID: 2296)

    • Creates files or folders in the user directory

      • Advanced-ip-scanner.exe (PID: 3876)

    • Manual execution by a user

      • explorer.exe (PID: 864)
      • OneDrive.exe (PID: 2920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:03:17 03:25:50
ZipCRC: 0x7b400fe4
ZipCompressedSize: 2334619
ZipUncompressedSize: 23068672
ZipFileName: IVIEWERS.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe advanced-ip-scanner.exe no specs advanced-ip-scanner.exe onedrive.exe no specs cmd.exe no specs ping.exe no specs explorer.exe no specs onedrive.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1196"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2296"C:\Users\admin\AppData\Local\Temp\Rar$EXa1196.11527\Advanced-ip-scanner.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1196.11527\Advanced-ip-scanner.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1196.11527\advanced-ip-scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2448ping -n 3 127.0.0.1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2548"C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exe" C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exeAdvanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Exit code:
3221225785
Version:
23.256.1211.0001
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\update\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2740cmd.exe /C for /l %x in (0,0,0) do (ping -n 3 127.0.0.1 > NUL & for %p in ("C:\Users\admin\AppData\Local\Temp\Rar$EXa1196.11527\Advanced-ip-scanner.exe") do (del /f /q %p & if not exist %p exit))C:\Windows\System32\cmd.exeAdvanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2920"C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exe" C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Exit code:
3221225785
Version:
23.256.1211.0001
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\update\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
3876"C:\Users\admin\AppData\Local\Temp\Rar$EXa1196.11527\Advanced-ip-scanner.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa1196.11527\Advanced-ip-scanner.exe
Advanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1196.11527\advanced-ip-scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 281
Read events
6 250
Write events
31
Delete events
0

Modification events

(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1196) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015.zip
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1196WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1196.11527\IVIEWERS.dllexecutable
MD5:980ED493FB2FAAD0376D71523F5ABDCD
SHA256:722A44F6A4718D853D640381E77D1B9815D6F1663603859FF758DED896860CBA
3876Advanced-ip-scanner.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\Secur32.dllexecutable
MD5:D5E3EC5E028EA9923C60A8249186AC6D
SHA256:287A0A80A995F1E62B317CF5FAA1DB94AF6EE9132B0F8483AFBD6819AA903D31
3876Advanced-ip-scanner.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exeexecutable
MD5:02A60567F6B14748E303C423C38DCC57
SHA256:9BBA4C707DE5A66D8C47E3E18E575D43BA8011302DAD452230C4B9D6B314EE26
1196WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1196.11527\Advanced-ip-scanner.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015