File name:

MDE_File_Sample_e7363c1f5e1fb4bda8604df2de27098b375cf699.zip

Full analysis: https://app.any.run/tasks/3434d11d-0fdd-4061-bca8-5c020dafa60e
Verdict: Malicious activity
Analysis date: May 02, 2024, 04:38:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

13AF3D80C5CACE6AAD1FDD0CF30B02F5

SHA1:

3B8405E486CE62AEA4D830AFD59CEE3C371BBCFB

SHA256:

800ACC1011B5EBADE991D581B1F69C9BB4E2CF617A04C2BDCE94A917F0E7D7A7

SSDEEP:

98304:yUyvzo0jkloiXS0kgrKtT2a1VtjOo2OfSUFdPlZikvG+bTCf7SJlOgI83YNWCEfV:smLLeO4Y8p3Aj0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3968)
      • setup_efileID (1).exe (PID: 928)
      • setup_efileID (1).tmp (PID: 820)

    • Changes the autorun value in the registry

      • setup_efileID (1).tmp (PID: 820)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • setup_efileID (1).tmp (PID: 820)

    • Executable content was dropped or overwritten

      • setup_efileID (1).exe (PID: 928)
      • setup_efileID (1).tmp (PID: 820)

    • Process drops legitimate windows executable

      • setup_efileID (1).tmp (PID: 820)

    • Starts CMD.EXE for commands execution

      • setup_efileID (1).tmp (PID: 820)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1036)

    • Reads the Internet Settings

      • setup_efileID (1).tmp (PID: 820)

    • Reads security settings of Internet Explorer

      • setup_efileID (1).tmp (PID: 820)

  • INFO

    • Manual execution by a user

      • setup_efileID (1).exe (PID: 928)
      • efileIDAsystent.exe (PID: 1824)

    • Checks supported languages

      • setup_efileID (1).exe (PID: 928)
      • setup_efileID (1).tmp (PID: 820)
      • efileIDAsystent.exe (PID: 304)
      • efileIDAsystent.exe (PID: 1824)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3968)

    • Create files in a temporary directory

      • setup_efileID (1).exe (PID: 928)
      • setup_efileID (1).tmp (PID: 820)

    • Reads the computer name

      • setup_efileID (1).tmp (PID: 820)
      • efileIDAsystent.exe (PID: 304)
      • efileIDAsystent.exe (PID: 1824)

    • Creates files or folders in the user directory

      • setup_efileID (1).tmp (PID: 820)

    • Creates a software uninstall entry

      • setup_efileID (1).tmp (PID: 820)

    • Reads the machine GUID from the registry

      • efileIDAsystent.exe (PID: 1824)
      • efileIDAsystent.exe (PID: 304)

    • Creates files in the program directory

      • efileIDAsystent.exe (PID: 304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2024:05:02 04:36:00
ZipCRC: 0xc137fb25
ZipCompressedSize: 6251597
ZipUncompressedSize: 6413968
ZipFileName: setup_efileID (1).exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setup_efileid (1).exe setup_efileid (1).tmp cmd.exe no specs taskkill.exe no specs efileidasystent.exe no specs efileidasystent.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124taskkill /IM efileIDAsystent.exe /FC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
304"C:\Users\admin\Documents\efile\efileID\bin\efileIDAsystent.exe" C:\Users\admin\Documents\efile\efileID\bin\efileIDAsystent.exesetup_efileID (1).tmp
User:
admin
Company:
e-file sp. z o.o. sp. k.
Integrity Level:
MEDIUM
Description:
e-file [ID] - Asystent
Version:
1.0.0.0
Modules
Images
c:\users\admin\documents\efile\efileid\bin\efileidasystent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
820"C:\Users\admin\AppData\Local\Temp\is-SVCL0.tmp\setup_efileID (1).tmp" /SL5="$30188,5991436,218624,C:\Users\admin\Desktop\setup_efileID (1).exe" C:\Users\admin\AppData\Local\Temp\is-SVCL0.tmp\setup_efileID (1).tmp
setup_efileID (1).exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-svcl0.tmp\setup_efileid (1).tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
928"C:\Users\admin\Desktop\setup_efileID (1).exe" C:\Users\admin\Desktop\setup_efileID (1).exe
explorer.exe
User:
admin
Company:
e-file sp. z o.o. sp. k.
Integrity Level:
MEDIUM
Description:
e-file [ID] Setup
Exit code:
0
Version:
1.4.20.0
Modules
Images
c:\users\admin\desktop\setup_efileid (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1036"cmd.exe" /C taskkill /IM efileIDAsystent.exe /FC:\Windows\System32\cmd.exesetup_efileID (1).tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1824"C:\Users\admin\Documents\efile\efileID\bin\efileIDAsystent.exe" C:\Users\admin\Documents\efile\efileID\bin\efileIDAsystent.exeexplorer.exe
User:
admin
Company:
e-file sp. z o.o. sp. k.
Integrity Level:
MEDIUM
Description:
e-file [ID] - Asystent
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\documents\efile\efileid\bin\efileidasystent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3968"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\MDE_File_Sample_e7363c1f5e1fb4bda8604df2de27098b375cf699.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
6 737
Read events
6 680
Write events
51
Delete events
6

Modification events

(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\MDE_File_Sample_e7363c1f5e1fb4bda8604df2de27098b375cf699.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
317
Suspicious files
6
Text files
75
Unknown types
5

Dropped files

PID
Process
Filename
Type
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\is-N06BP.tmp
MD5:
SHA256:
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\is-M7H81.tmp
MD5:
SHA256:
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\is-IRPIL.tmp
MD5:
SHA256:
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\efileIDAsystent.exe
MD5:
SHA256:
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\is-FABVN.tmp
MD5:
SHA256:
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\unins000.exeexecutable
MD5:05B7D8E86446C03A0D6D9055E0EA1EBE
SHA256:11A21CC68A5A793F5B913CA5FCA993CCE5F1F016D73FF74675C6BD39C50404C2
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\is-7K4PT.tmpxml
MD5:DF89365C61D1FA635839541DB8C6214E
SHA256:80767D9559B932A2C0CDFEC7C97AEC14D6F00648856C12EAA588E8EE11B137CC
820setup_efileID (1).tmpC:\Users\admin\AppData\Local\Temp\is-KLQ8D.tmp\licencja efileID.rtftext
MD5:EEF5A9C2F403CD3E3F6A78CB288D5B9F
SHA256:8F223F8AF6CD19F46CF72517FB5D19574B20BF86BED26FF1DF0363AD3A6189DC
820setup_efileID (1).tmpC:\Users\admin\Documents\efile\efileID\bin\IpMatcher.dll
MD5:
SHA256:
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3968.4944\setup_efileID (1).exeexecutable
MD5:61B70413608B35360FBFC9E1DB28260B
SHA256:CC55F6A20E9D36E5E749D2D1AF9D939D23EB2062820284DB31E31F6A30ACB3C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MDE_File_Sample_e7363c1f5e1fb4bda8604df2de27098b375cf699.zip