analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OP Tool.zip

Full analysis: https://app.any.run/tasks/6e5c7701-0e27-4213-be38-bd0d35cb8b32
Verdict: Malicious activity
Analysis date: November 17, 2019, 04:14:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

32B2C86AADA8E7CF9D54C25BF5D274DB

SHA1:

02AA578DD2029226466B45E7148E22804D9FE524

SHA256:

7D150AD8EB76D4419F3D0410EC3389FB06F1D018CBFCDD4BA471DCB35214FDB4

SSDEEP:

24576:Y20XZ9jaTD2mprtu41l5nazVx9cmlApma4vC:YfXDaTD2mppn1fa5wb46

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Force OP.exe (PID: 1268)
      • Trimmin's OP Tool.exe (PID: 2096)
      • Force OP.exe (PID: 1712)
      • Trimmin's OP Tool.exe (PID: 2040)
      • win32.exe (PID: 1788)
    • Runs injected code in another process

      • win32.exe (PID: 1788)
    • Changes the login/logoff helper path in the registry

      • win32.exe (PID: 1788)
    • Disables Windows System Restore

      • win32.exe (PID: 1788)
    • Changes Image File Execution Options

      • win32.exe (PID: 1788)
    • Application was injected by another process

      • explorer.exe (PID: 352)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 352)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1944)
      • Trimmin's OP Tool.exe (PID: 2096)
      • Force OP.exe (PID: 1712)
    • Creates files in the Windows directory

      • Force OP.exe (PID: 1712)
    • Starts itself from another location

      • Force OP.exe (PID: 1712)
    • Creates files in the user directory

      • win32.exe (PID: 1788)
    • Creates or modifies windows services

      • win32.exe (PID: 1788)
    • Disables SEHOP

      • win32.exe (PID: 1788)
  • INFO

    • Manual execution by user

      • Trimmin's OP Tool.exe (PID: 2096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:10:01 18:50:26
ZipCRC: 0xf62cc16b
ZipCompressedSize: 848548
ZipUncompressedSize: 1314816
ZipFileName: Trimmin's OP Tool.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start inject winrar.exe trimmin's op tool.exe trimmin's op tool.exe no specs force op.exe no specs force op.exe win32.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1944"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OP Tool.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2096"C:\Users\admin\Desktop\Trimmin's OP Tool.exe" C:\Users\admin\Desktop\Trimmin's OP Tool.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
2040"C:\Users\admin\AppData\Local\Temp\Trimmin's OP Tool.exe" C:\Users\admin\AppData\Local\Temp\Trimmin's OP Tool.exeTrimmin's OP Tool.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Viri Force OP
Version:
1.0.0.0
1268"C:\Users\admin\AppData\Local\Temp\Force OP.exe" C:\Users\admin\AppData\Local\Temp\Force OP.exeTrimmin's OP Tool.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
0.0.0.0
1712"C:\Users\admin\AppData\Local\Temp\Force OP.exe" C:\Users\admin\AppData\Local\Temp\Force OP.exe
Trimmin's OP Tool.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
0.0.0.0
1788"C:\Windows\system32\Windows Services\win32.exe" C:\Windows\system32\Windows Services\win32.exe
Force OP.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
0.0.0.0
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 973
Read events
1 818
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1944WinRAR.exeC:\Users\admin\Desktop\Files\config.ymltext
MD5:85635673A2F23A3C4DB4E09BDF39965E
SHA256:9F73F06C2D3EEA844E5A69BA6FABF012647FFB0365053FB915D296EBC6DA497E
2096Trimmin's OP Tool.exeC:\Users\admin\AppData\Local\Temp\Force OP.exeexecutable
MD5:360C8B9467D82A820EA12FF1AC120C69
SHA256:B45DFD409D367DFDB131B1D9C8F1022B1C62669F8ECAA76B3F06C07C70A70132
2096Trimmin's OP Tool.exeC:\Users\admin\AppData\Local\Temp\Trimmin's OP Tool.exeexecutable
MD5:9087EF66D89A7D269A4D119543021405
SHA256:FB7028AA8017A7A85BE8FBF5775497AE23B95A8571C75FDBFB0A674EF1B1E88D
1712Force OP.exeC:\Windows\system32\Windows Services\win32.exeexecutable
MD5:360C8B9467D82A820EA12FF1AC120C69
SHA256:B45DFD409D367DFDB131B1D9C8F1022B1C62669F8ECAA76B3F06C07C70A70132
1944WinRAR.exeC:\Users\admin\Desktop\Trimmin's OP Tool.exeexecutable
MD5:34FC994B321E0692A07C89FB3D274C48
SHA256:555758A04B4DD46B0A7C9D7C0BEAFBE6C403E138A39C5D8849184B5FA48E18FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
apexhosting.serveminecraft.net
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net
No debug info