analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CrystalDiskInfo8_1_0.zip

Full analysis: https://app.any.run/tasks/32303ff8-902e-4d9e-903b-4ffb383fad2a
Verdict: Malicious activity
Analysis date: May 21, 2019, 02:10:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

563D0AE995DC41973260681DAB96AD7A

SHA1:

BA60A6C8C9533EFE65B3C33901E0516CE09504A8

SHA256:

840F394F6AAD421BC24FDA4F1625A318C4F1C136D1067BE0C8AB621AF81743EC

SSDEEP:

98304:A74DdJdi5O4M/vvgKQCaPJw6fsYByuRUYSpsU7bzS4/wPbyKZxy9MmQ:FdJdi5OhIKQ4EkASpsU7ZsyQxClQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DiskInfo32.exe (PID: 3628)
      • DiskInfo32.exe (PID: 916)

    • Loads the Task Scheduler COM API

      • CCleaner.exe (PID: 2760)
      • CCleaner.exe (PID: 1976)
      • CCleaner.exe (PID: 592)

    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 592)
      • CCleaner.exe (PID: 1976)

    • Changes the autorun value in the registry

      • CCleaner.exe (PID: 1976)

    • Changes settings of System certificates

      • CCleaner.exe (PID: 592)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2232)

    • Low-level read access rights to disk partition

      • DiskInfo32.exe (PID: 916)
      • CCleaner.exe (PID: 592)

    • Application launched itself

      • CCleaner.exe (PID: 592)

    • Reads the cookies of Mozilla Firefox

      • CCleaner.exe (PID: 592)

    • Creates files in the user directory

      • CCleaner.exe (PID: 592)

    • Reads the cookies of Google Chrome

      • CCleaner.exe (PID: 592)

    • Reads internet explorer settings

      • CCleaner.exe (PID: 592)
      • CCleaner.exe (PID: 1976)

    • Executed via Task Scheduler

      • CCleaner.exe (PID: 592)

    • Adds / modifies Windows certificates

      • CCleaner.exe (PID: 592)

    • Starts Internet Explorer

      • CCleaner.exe (PID: 592)

    • Reads Internet Cache Settings

      • CCleaner.exe (PID: 592)

    • Creates files in the program directory

      • firefox.exe (PID: 3676)

    • Removes files from Windows directory

      • CCleaner.exe (PID: 592)

    • Searches for installed software

      • CCleaner.exe (PID: 592)

  • INFO

    • Manual execution by user

      • DiskInfo32.exe (PID: 916)
      • DiskInfo32.exe (PID: 3628)
      • CCleaner.exe (PID: 2760)
      • WINWORD.EXE (PID: 2860)
      • firefox.exe (PID: 3676)
      • calc.exe (PID: 1048)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2860)
      • iexplore.exe (PID: 2972)
      • firefox.exe (PID: 3676)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2860)
      • CCleaner.exe (PID: 592)

    • Reads settings of System Certificates

      • CCleaner.exe (PID: 592)

    • Application launched itself

      • iexplore.exe (PID: 3204)
      • firefox.exe (PID: 3676)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2972)

    • Changes internet zones settings

      • iexplore.exe (PID: 3204)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2972)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2972)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2972)

    • Reads CPU info

      • firefox.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:04:22 21:45:11
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: CdiResource/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
19
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe diskinfo32.exe no specs diskinfo32.exe winword.exe no specs ccleaner.exe no specs ccleaner.exe ccleaner.exe iexplore.exe iexplore.exe firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe pingsender.exe no specs calc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CrystalDiskInfo8_1_0.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3628"C:\Users\admin\Desktop\DiskInfo32.exe" C:\Users\admin\Desktop\DiskInfo32.exeexplorer.exe
User:
admin
Company:
Crystal Dew World
Integrity Level:
MEDIUM
Description:
CrystalDiskInfo
Exit code:
3221226540
Version:
8.1.0.2019
916"C:\Users\admin\Desktop\DiskInfo32.exe" C:\Users\admin\Desktop\DiskInfo32.exe
explorer.exe
User:
admin
Company:
Crystal Dew World
Integrity Level:
HIGH
Description:
CrystalDiskInfo
Version:
8.1.0.2019
2860"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ablemodel.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2760"C:\Program Files\CCleaner\CCleaner.exe" C:\Program Files\CCleaner\CCleaner.exeexplorer.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
5, 35, 0, 6210
592"C:\Program Files\CCleaner\CCleaner.exe" /uacC:\Program Files\CCleaner\CCleaner.exe
taskeng.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
5, 35, 0, 6210
1976"C:\Program Files\CCleaner\CCleaner.exe" /monitorC:\Program Files\CCleaner\CCleaner.exe
CCleaner.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
5, 35, 0, 6210
3204"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
CCleaner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2972"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3204 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3676"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
Total events
5 090
Read events
4 166
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
86
Text files
520
Unknown types
69

Dropped files

PID
Process
Filename
Type
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\AlertMail.exeexecutable
MD5:46A29DAB77E0C3FF5B7E0EA2F1E5B7C8
SHA256:A9B8A51A99B4C63038C948C5BDA54750EA85E0D9B4DB7D78FB4DAC9D8854FEEA
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\image\buttonEnable.pngimage
MD5:FB6BD83144C157F965B020763481B2C0
SHA256:45EB98AE366BD57046F42E7B9C52552505BECD6F467A10781D00BCE0E0E39D6C
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\Graph.htmlhtml
MD5:006B850CE85CFBCC92BBEE6966BDF0D5
SHA256:647860CDA8FDF6F344B835472C04ACB929EA411270F780B4FA27161E9E145C35
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\Graph.csstext
MD5:92D30E5381370231C4888B57D29D27C6
SHA256:5D6EDF2D14B16C1C47E85609346874593B4E989214AFDBFEF4D849A30F9F719F
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\image\buttonDisable.pngimage
MD5:8CE9F3A5880F1C753F75E814A77EED91
SHA256:EA1304F8D276D6E0775611C6FA8E0DEC1E320F4D13F94C1AB8F03F22328774FB
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\flot\jquery.min.jstext
MD5:A9331828C517AC5D97F93B3CFDBCC9BC
SHA256:D548530775A6286F49BA66E0715876B4EC5985966B0291C21568FECFC4178E8D
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\AlertMail4.exeexecutable
MD5:7E919B00AEE429607FF663A6511F179F
SHA256:CFB06B92A0483AAD4D653DB58121417B776D41C80DB5CAB1B4465C172F4168A9
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\image\GraphAllOn.pngimage
MD5:AD5566B216D5BA4997966A9964D1C64B
SHA256:2730DE1C517663AA87403ABEAF6FE562BC5EABD15FA0C0D898C1AFE37276C935
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\flot\jquery.flot.min.jstext
MD5:F1843ACDB53F2C88903F89E4E175CD32
SHA256:8A0F1DD79995A9308CFFDCAE12445D9F727D66A450EF5158280E0724DE55C32F
2232WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2232.15807\CdiResource\dialog\flot\excanvas.min.jstext
MD5:08182065D2093C978A9BFA16B0829173
SHA256:5F94B032A110504B7B261EAF71392FA3E8D82CDC6455C0CBA5C9F03CD34ED122
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
62
DNS requests
83
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
iexplore.exe
GET
301
151.101.0.64:80
http://www.piriform.com/ccleaner/update?a=0&v=5.35.6210&l=1033&o=6.1W3&t=4&au=1
US
whitelisted
592
CCleaner.exe
GET
301
151.101.0.64:80
http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127
US
whitelisted
2972
iexplore.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.1 Kb
whitelisted
3676
firefox.exe
GET
200
95.100.39.8:80
http://detectportal.firefox.com/success.txt
DE
text
8 b
whitelisted
3676
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3676
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3676
firefox.exe
GET
302
18.208.31.59:80
http://download.mozilla.org/?product=firefox-66.0.5-complete&os=win&lang=en-US
US
html
129 b
whitelisted
3676
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3676
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3676
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2972
iexplore.exe
216.58.207.68:443
www.google.com
Google Inc.
US
whitelisted
592
CCleaner.exe
151.101.0.64:80
www.piriform.com
Fastly
US
whitelisted
2972
iexplore.exe
172.217.22.67:443
fonts.gstatic.com
Google Inc.
US
whitelisted
592
CCleaner.exe
151.101.2.202:443
www.ccleaner.com
Fastly
US
suspicious
151.101.0.64:443
www.piriform.com
Fastly
US
whitelisted
3204
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
592
CCleaner.exe
151.101.0.64:443
www.piriform.com
Fastly
US
whitelisted
2972
iexplore.exe
151.101.2.202:443
www.ccleaner.com
Fastly
US
suspicious
2972
iexplore.exe
172.217.18.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2972
iexplore.exe
2.21.36.164:443
s7.addthis.com
GTT Communications Inc.
FR
suspicious

DNS requests

Domain
IP
Reputation
www.piriform.com
  • 151.101.0.64
  • 151.101.64.64
  • 151.101.128.64
  • 151.101.192.64
whitelisted
www.ccleaner.com
  • 151.101.2.202
  • 151.101.66.202
  • 151.101.130.202
  • 151.101.194.202
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google.com
  • 216.58.207.68
whitelisted
s7.addthis.com
  • 2.21.36.164
whitelisted
fonts.googleapis.com
  • 172.217.18.170
whitelisted
fonts.gstatic.com
  • 172.217.22.67
whitelisted
www.googletagmanager.com
  • 216.58.210.8
whitelisted
dev.visualwebsiteoptimizer.com
  • 159.122.87.153
  • 159.122.87.148
whitelisted
s1.pir.fm
  • 151.139.237.73
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CrystalDiskInfo8_1_0.zip