analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6681081937854464.zip

Full analysis: https://app.any.run/tasks/3057f9cb-9b2f-444e-a12d-3dc89cf1c653
Verdict: Malicious activity
Analysis date: November 16, 2019, 08:51:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

87C82B2D261DFA7A05FCEBFFE02F4FBA

SHA1:

B8067014FBB4A7F5CE371685C737A2B8CB3AA7B2

SHA256:

797EB47367B43B8478BD4ACE76A3FD1DB33C765ACF6F4E04BC757E856657CDCA

SSDEEP:

12288:p1naj+3WVqzZNvZfPME64AVN64Ajw8OrKnq/GS:XMCTvZHM4AXgwnAq//

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • s.exe (PID: 940)
      • s.exe (PID: 976)

    • Loads dropped or rewritten executable

      • s.exe (PID: 976)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • s.exe (PID: 976)

    • Starts Internet Explorer

      • s.exe (PID: 976)

  • INFO

    • Manual execution by user

      • s.exe (PID: 976)
      • s.exe (PID: 940)

    • Application launched itself

      • iexplore.exe (PID: 2076)

    • Changes internet zones settings

      • iexplore.exe (PID: 2076)
      • iexplore.exe (PID: 4028)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1928)

    • Creates files in the user directory

      • iexplore.exe (PID: 1928)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0xdab2328b
ZipCompressedSize: 697403
ZipUncompressedSize: 708608
ZipFileName: 5b7dbc2dd059900da712e79a21a3d5dff4ece1d005d888478b2f8315cee6d56d
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs s.exe no specs s.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2132"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6681081937854464.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
940"C:\Users\admin\Desktop\s.exe" C:\Users\admin\Desktop\s.exeexplorer.exe
User:
admin
Company:
MPT34M
Integrity Level:
MEDIUM
Description:
cr4cking th3 cod3 4 fun!
Exit code:
3221226540
Version:
1.0
Modules
Images
c:\users\admin\desktop\s.exe
c:\systemroot\system32\ntdll.dll
976"C:\Users\admin\Desktop\s.exe" C:\Users\admin\Desktop\s.exe
explorer.exe
User:
admin
Company:
MPT34M
Integrity Level:
HIGH
Description:
cr4cking th3 cod3 4 fun!
Version:
1.0
Modules
Images
c:\users\admin\desktop\s.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2076"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
s.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4028"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
s.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2076 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4028 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 050
Read events
941
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
13
Unknown types
2

Dropped files

PID
Process
Filename
Type
2132WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2132.31508\5b7dbc2dd059900da712e79a21a3d5dff4ece1d005d888478b2f8315cee6d56d
MD5:
SHA256:
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2076iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2076iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2076iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8135E833D896F091.TMP
MD5:
SHA256:
2076iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA50A9E676F8D0E8D.TMP
MD5:
SHA256:
2076iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9058FED689343F18.TMP
MD5:
SHA256:
2076iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE0C2B8BD39F776D6.TMP
MD5:
SHA256:
2076iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{64A2FB30-084E-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
13
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1928
iexplore.exe
GET
91.223.82.39:80
http://www.mpt34m.net/images/zen_18_dropdown_v1_2_1.gif
NL
malicious
1928
iexplore.exe
GET
91.223.82.39:80
http://www.mpt34m.net/images/zen_18_dropdown_v1_2_4.gif
NL
malicious
1928
iexplore.exe
GET
91.223.82.39:80
http://www.mpt34m.net/images/zen_18_dropdown_v1_2_5.gif
NL
malicious
1928
iexplore.exe
GET
200
91.223.82.39:80
http://www.mpt34m.net/documents/scripts.js
NL
text
90 b
malicious
1928
iexplore.exe
GET
91.223.82.39:80
http://www.mpt34m.net/1amos_1.png
NL
malicious
1928
iexplore.exe
GET
91.223.82.39:80
http://www.mpt34m.net/extimages/scripts/login_r.png
NL
malicious
1928
iexplore.exe
GET
91.223.82.39:80
http://www.mpt34m.net/extimages/scripts/login_m.png
NL
malicious
1928
iexplore.exe
GET
200
91.223.82.39:80
http://www.mpt34m.net/
NL
html
15.7 Kb
malicious
1928
iexplore.exe
GET
200
91.223.82.39:80
http://www.mpt34m.net/documents/textstyles_nf.css
NL
text
35.3 Kb
malicious
1928
iexplore.exe
GET
200
91.223.82.39:80
http://www.mpt34m.net/images/bgmpt03_bestselenium.jpg
NL
image
216 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4028
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2076
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1928
iexplore.exe
216.58.206.10:443
ajax.googleapis.com
Google Inc.
US
whitelisted
1928
iexplore.exe
173.194.76.82:443
html5shiv.googlecode.com
Google Inc.
US
whitelisted
1928
iexplore.exe
91.223.82.39:80
www.mpt34m.net
Iws Networks LLC
NL
malicious
1928
iexplore.exe
69.171.250.25:443
connect.facebook.net
Facebook, Inc.
US
suspicious
1928
iexplore.exe
31.13.92.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
1928
iexplore.exe
69.171.250.25:80
connect.facebook.net
Facebook, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.mpt34m.net
  • 91.223.82.39
malicious
html5shiv.googlecode.com
  • 173.194.76.82
whitelisted
ajax.googleapis.com
  • 216.58.206.10
whitelisted
connect.facebook.net
  • 69.171.250.25
whitelisted
www.facebook.com
  • 31.13.92.36
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6681081937854464.zip