analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | UserOverflow.zip |
| Full analysis: | https://app.any.run/tasks/51ac5875-c56e-4ecf-acba-a381cb01e756 |
| Verdict: | Malicious activity |
| Analysis date: | November 30, 2020, 02:55:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v5.1 to extract |
| MD5: | E63EB8701ABEAFC17E18807F996A2C4B |
| SHA1: | E11387F6C188416F43E1A72F4FFDD759F4E43E54 |
| SHA256: | 7EAFD43C18F9613D762567CB5E00D58DF71208D6B94C23D634DAEC42170E0D6C |
| SSDEEP: | 12288:3vKCI7fDejRGO3Aq/GYakzIbNmUywpTMwWEMnPz4:fKCI7mLANFkGtMwlyL4 |
MALICIOUS
Application was dropped or rewritten from another process
- [email protected] (PID: 1744)
Starts NET.EXE to view/add/change user profiles
- [email protected] (PID: 1744)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1724)
Starts Internet Explorer
- [email protected] (PID: 1744)
Executed via COM
- DllHost.exe (PID: 2064)
INFO
Reads settings of System Certificates
- iexplore.exe (PID: 2952)
Changes internet zones settings
- iexplore.exe (PID: 3672)
Application launched itself
- iexplore.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 51 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 2018:12:02 22:04:29 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | 577729 |
| ZipUncompressedSize: | 591872 |
| ZipFileName: | [email protected] |
Total processes
342
Monitored processes
205
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1724 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UserOverflow.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 1073807364 Version: 5.60.0 | ||||
| 1744 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1724.29542\[email protected]" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1724.29542\[email protected] | — | WinRAR.exe |
User: admin Company: Endermanch Integrity Level: MEDIUM Description: A program overflowing user quantity in Windows Exit code: 0 Version: 1.0.0.2 | ||||
| 3672 | "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/endermanch | C:\Program Files\Internet Explorer\iexplore.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
| 2952 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3672 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
| 2800 | "C:\Windows\System32\net.exe" user user1 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2964 | "C:\Windows\System32\net.exe" user user2 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2088 | "C:\Windows\System32\net.exe" user user3 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 1196 | "C:\Windows\System32\net.exe" user user4 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 1096 | "C:\Windows\System32\net.exe" user user5 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2156 | C:\Windows\system32\net1 user user1 death /add | C:\Windows\system32\net1.exe | — | net.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
959
Read events
898
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
10
Text files
0
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2952 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab2AA3.tmp | — | |
MD5:— | SHA256:— | |||
| 2952 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar2AA4.tmp | — | |
MD5:— | SHA256:— | |||
| 3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFAE7F9DB9AFCC2313.TMP | — | |
MD5:— | SHA256:— | |||
| 3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFA9D94A04317A0012.TMP | — | |
MD5:— | SHA256:— | |||
| 3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF0895F8333AFB122F.TMP | — | |
MD5:— | SHA256:— | |||
| 3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4BE6593B18847989.TMP | — | |
MD5:— | SHA256:— | |||
| 3672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BCFFF6AD-32B7-11EB-8E7A-12A9866C77DE}.dat | — | |
MD5:— | SHA256:— | |||
| 2952 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | binary | |
MD5:8F8A553DF8870F1BC9F6AEBE981BE8E7 | SHA256:4CE227259BF8A72F865A17EC1A43AAA48EC5B479AFC5065C934272C18A9B5A20 | |||
| 3672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42A7EDC2-DE02-11E9-92C0-5254004A04AF}.dat | binary | |
MD5:CB50C829C8A78515AF2FB2B1CEB51AB2 | SHA256:1CBBF056A9ECBD707696340E5A1C89CB6D61CE164A72E0CA275BFCAF73D4869E | |||
| 3672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{BCFFF6B0-32B7-11EB-8E7A-12A9866C77DE}.dat | binary | |
MD5:6D2C586BF21A03CFBE0F41DB22BBB7F5 | SHA256:38FC702F7B843AF3036DB325DA7C07C5B9C42DE6AF6BB63F993FFF65A5D4FBF1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
7
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD76E8xQFZstgIAAAAAgFWS | US | der | 472 b | whitelisted |
1528 | werfault.exe | GET | — | 13.88.21.125:80 | http://watson.microsoft.com/StageOne/Generic/AppHangB1/dllhost_exe/6_1_7600_16385/4a5bc6b7/2a4b/0.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063 | US | — | — | whitelisted |
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD76E8xQFZstgIAAAAAgFWS | US | der | 472 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2952 | iexplore.exe | 172.217.18.99:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
1528 | werfault.exe | 13.88.21.125:80 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
2952 | iexplore.exe | 64.233.169.190:443 | www.youtube.com | Google Inc. | US | unknown |
2952 | iexplore.exe | 64.233.168.91:443 | youtube.com | Google Inc. | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
youtube.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.youtube.com |
| whitelisted |
watson.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1528 | werfault.exe | Potential Corporate Privacy Violation | ET POLICY Application Crash Report Sent to Microsoft |
1528 | werfault.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |