analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

idm-crack_2279.zip

Full analysis: https://app.any.run/tasks/9cbe68a2-4d71-400d-b175-4feeace206bd
Verdict: Malicious activity
Analysis date: September 30, 2020, 07:23:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4B3D410CC7DF0C4587A809DA50CEF1C4

SHA1:

E5F368CBEF98E64E834C592EABE0CA3256DDFBAD

SHA256:

7BEBC916EC79A59617F0D1D85DB9ADE06149671E714DD3FF9D97203EB6669714

SSDEEP:

1536:FOE3UhPenDaYgg8O6Zf9vK7lUJF01Lada7tR/sJ9GAs21LtSM:FDEgnDwBOEyYaUI7ja9HskLAM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 3996)

    • Application was dropped or rewritten from another process

      • Setup.exe (PID: 3380)
      • Setup.exe (PID: 3892)

    • Deletes shadow copies

      • cmd.exe (PID: 2832)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3344)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3996)

    • Application launched itself

      • WinRAR.exe (PID: 2264)

    • Executed as Windows Service

      • vssvc.exe (PID: 2156)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 3892)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • Setup.exe (PID: 3892)

    • Executed via COM

      • DllHost.exe (PID: 2000)

    • Reads Internet Cache Settings

      • DllHost.exe (PID: 2000)

    • Connects to server without host name

      • Setup.exe (PID: 3892)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Password-2020.txt
ZipUncompressedSize: 5197
ZipCompressedSize: 547
ZipCRC: 0x4b1bf59b
ZipModifyDate: 2020:09:13 14:45:23
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
18
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs winrar.exe setup.exe no specs setup.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs cmd.exe bcdedit.exe no specs cmd.exe bcdedit.exe no specs cmd.exe wbadmin.exe no specs cmd.exe wbadmin.exe no specs cmd.exe wmic.exe no specs WinInetBrokerServer no specs

Process information

PID
CMD
Path
Indicators
Parent process
2264"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\idm-crack_2279.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3996"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2264.46318\Setup.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3380"C:\Users\admin\AppData\Local\Temp\Rar$EXb3996.47225\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3996.47225\Setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3892"C:\Users\admin\AppData\Local\Temp\Rar$EXb3996.47225\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3996.47225\Setup.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
2832cmd /C vssadmin Delete Shadows /All /QuietC:\Windows\system32\cmd.exe
Setup.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1544vssadmin Delete Shadows /All /QuietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2156C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3344cmd /C bcdedit /set {default} recoveryenabled NoC:\Windows\system32\cmd.exe
Setup.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3496bcdedit /set {default} recoveryenabled NoC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1148cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\cmd.exe
Setup.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 373
Read events
1 250
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
3892Setup.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.luFQjW
MD5:
SHA256:
3632wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.2.etletl
MD5:35AD50473D9278B18B58E64ADF7BD9D3
SHA256:DA92D8632672588DEE8B3153EAECC03C41228B5E10F1F927D525C166109E878B
3892Setup.exeC:\Users\admin\AppData\Local\Temp\Microsoft\Windows\p4a7Ux\windows.sys:yoglygxpztqveikkjtext
MD5:66BB2C964D2966438A4A19F5B93453F6
SHA256:05F1D5D2A5D7E9F3138020BDB8237FE56BBA8660CC082B77BFA32A7ECBB5991E
3892Setup.exeC:\Users\admin\AppData\Local\Temp\Microsoft\Windows\Ui5caD\windows.sys:ymiuwsmgitpdtbmhtext
MD5:ED3BC47AD32FA3B0AC4E31810DFCADB0
SHA256:E5C71C7D8A5AE82FFC50E784239C3E6C592B2EEBD4D6EA17A5E45CFC6B645546
3996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3996.47225\Setup.exeexecutable
MD5:F269D24544E8BB4CB82680BB396A5F1B
SHA256:CA680208FB28DCA0595CA9F677C7845ACA09C1979DB0A9D680AD6F6BF30B7097
3632wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.1.etletl
MD5:357505B15223A247A3307EB92FB1F249
SHA256:D885511A511B851098414C6A0F840485800FB102B6E6A11009142D3601428942
2264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2264.46318\Setup.zipcompressed
MD5:647E829E030D7B6773EB074AC22E2A79
SHA256:DD8D0442135668EF867E9462E9DB50D1CB06C63090658CB1689D9E924CC5EEFD
1704wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.1.etletl
MD5:35AD50473D9278B18B58E64ADF7BD9D3
SHA256:DA92D8632672588DEE8B3153EAECC03C41228B5E10F1F927D525C166109E878B
3892Setup.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\DECRYPT-luFQjW-decrypt.htahtml
MD5:E7D3334E905ACB74C62FCFD4CD541968
SHA256:BEAAD8A4318B340DD953112FC9A8AD939A9F67C1E10AE9255429A34091DA4C48
3892Setup.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi.luFQjWkeybinary
MD5:666D939256D02B0E78DC7413013D8563
SHA256:EDA273D7E79816787847D7F5CD0CFC081F33C8972D09C9AE58CEEF97187742A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3892
Setup.exe
POST
51.83.171.36:80
http://51.83.171.36/fgate
GB
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3892
Setup.exe
51.83.171.35:80
GB
malicious
3892
Setup.exe
51.83.171.36:80
GB
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3892
Setup.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
3892
Setup.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
idm-crack_2279.zip