File name:

2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip

Full analysis: https://app.any.run/tasks/6f05ab41-f3fa-4554-98df-d9ef02d44a0f
Verdict: Malicious activity
Analysis date: January 28, 2022, 12:15:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CD42BE808C849555356FFC4501012809

SHA1:

B78B46D9E370F80504A856F9D961F6976B271687

SHA256:

834B1CFCD8AF177802DC6BC9AEEEDD773B5F3A06A19870A1F983073F153EB131

SSDEEP:

24576:+EDTfZlAYXvQWBniDtnm1lgfvp6wQfsQ8S7V57/tLOF:+ErAYXtBniZmLesnEZUE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2216)

    • Checks supported languages

      • WinRAR.exe (PID: 2216)

    • Reads the computer name

      • WinRAR.exe (PID: 2216)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2216)

  • INFO

    • Reads the computer name

      • explorer.exe (PID: 3304)

    • Checks supported languages

      • explorer.exe (PID: 3304)
      • NOTEPAD.EXE (PID: 340)

    • Manual execution by user

      • explorer.exe (PID: 3304)
      • NOTEPAD.EXE (PID: 340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txt
ZipUncompressedSize: 3295
ZipCompressedSize: 1610
ZipCRC: 0x74dd10bc
ZipModifyDate: 2022:01:12 18:07:17
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
340"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txtC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2216"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3304"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 152
Read events
1 134
Write events
18
Delete events
0

Modification events

(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2216) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2216) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
8
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2216WinRAR.exeC:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts\2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txttext
MD5:
SHA256:
2216WinRAR.exeC:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts\DH-1641998904.xllexecutable
MD5:
SHA256:
2216WinRAR.exeC:\Users\admin\Desktop\2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txttext
MD5:
SHA256:
2216WinRAR.exeC:\Users\admin\Desktop\2022-01-12-scheduled-task-for-IcedID.txtxml
MD5:
SHA256:
2216WinRAR.exeC:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts\2022-01-12-scheduled-task-for-IcedID.txtxml
MD5:
SHA256:
2216WinRAR.exeC:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts\2022-01-12-gzip-binary-from-olerantand.top.bincompressed
MD5:
SHA256:
2216WinRAR.exeC:\Users\admin\Desktop\2022-01-12-gzip-binary-from-olerantand.top.bincompressed
MD5:
SHA256:
2216WinRAR.exeC:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts\JavaClassObjectCm.dllexecutable
MD5:332561E4ACA7004ACEFBFFF7B1CD1549
SHA256:CBD2E49A46F4F9DF1BBCD8EB7BA048692A3DDF0108AEF42FF5381C3A3C572B0F
2216WinRAR.exeC:\Users\admin\AppData\Local\Temp\2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts\license.datbinary
MD5:C7C45636CA690ACDAB7FBA1E9D126F8B
SHA256:CFC202B44509F2F607D365858A8218DFDC6B26F8087EFCC5E46F4FEF9AB53705
2216WinRAR.exeC:\Users\admin\Desktop\JavaClassObjectCm.dllexecutable
MD5:332561E4ACA7004ACEFBFFF7B1CD1549
SHA256:CBD2E49A46F4F9DF1BBCD8EB7BA048692A3DDF0108AEF42FF5381C3A3C572B0F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2022-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip