File name:

opensafezona

Full analysis: https://app.any.run/tasks/8b56f60f-7327-40ae-b4fd-bfa738b965d9
Verdict: Malicious activity
Analysis date: November 05, 2024, 13:50:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

DF8C02540BFA7E2F1B7BA92299714E31

SHA1:

C6FB3587F8264F739AB25B459D1C75FD92799821

SHA256:

885E8063FE9689BEC0B1DAE96D3431A51FEB800515BBA38A58C8767783117486

SSDEEP:

12288:gFPdEabuqknp4aCR4tYnDuw5REfB5tiKL+:gFPdEabuz4aCR15mf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts another process probably with elevated privileges via RUNAS.EXE

      • runas.exe (PID: 1652)

    • Creates file in the systems drive root

      • opensafezona.exe (PID: 3700)

    • There is functionality for taking screenshot (YARA)

      • opensafezona.exe (PID: 3700)

    • Write to the desktop.ini file (may be used to cloak folders)

      • opensafezona.exe (PID: 3700)

  • INFO

    • Reads the computer name

      • opensafezona.exe (PID: 3700)

    • Checks supported languages

      • opensafezona.exe (PID: 3700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (65.5)
.exe | Win32 Executable Borland Delphi 6 (25.8)
.exe | InstallShield setup (4.2)
.exe | Win32 Executable Delphi generic (1.3)
.scr | Windows screen saver (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 408576
InitializedDataSize: 73216
UninitializedDataSize: -
EntryPoint: 0x64a70
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start runas.exe no specs THREAT opensafezona.exe

Process information

PID
CMD
Path
Indicators
Parent process
1652"C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\opensafezona.exeC:\Windows\System32\runas.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3700C:\Users\admin\Desktop\opensafezona.exeC:\Users\admin\Desktop\opensafezona.exe
runas.exe
User:
Administrator
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\opensafezona.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
795
Read events
785
Write events
8
Delete events
2

Modification events

(PID) Process:(3700) opensafezona.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\2\52C64B7E
Operation:delete keyName:(default)
Value:
(PID) Process:(3700) opensafezona.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\2
Operation:delete keyName:(default)
Value:
(PID) Process:(3700) opensafezona.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) opensafezona.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(3700) opensafezona.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF
Value:
0100000000000000EEF50EB3892FDB01
(PID) Process:(3700) opensafezona.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF
Value:
0100000000000000567F18B3892FDB01
(PID) Process:(3700) opensafezona.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF
Value:
0100000000000000567F18B3892FDB01
Executable files
0
Suspicious files
242
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
3700opensafezona.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab
MD5:
SHA256:
3700opensafezona.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab[CS 1.7.0.1][corpseworm@protonmail.com].xyz
MD5:
SHA256:
3700opensafezona.exeC:\Users\Administrator\Desktop\desktop.inibinary
MD5:81CE257508BEF02657098B3D91D8444C
SHA256:DE799C175FB60E4B3FAA0113CDD7F12EBD5FDEF9D5C61D5F0E2256621D96DFB3
3700opensafezona.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini[CS 1.7.0.1][corpseworm@protonmail.com].egrbinary
MD5:9D5DEB1BE892190543E37D591ED9081F
SHA256:F14061E3D86A088CB18BE1A2FC9239ACCDF4117A24C6B642EE37509BE01AF508
3700opensafezona.exeC:\Users\Administrator\Desktop\desktop.ini[CS 1.7.0.1][corpseworm@protonmail.com].flrbinary
MD5:81CE257508BEF02657098B3D91D8444C
SHA256:DE799C175FB60E4B3FAA0113CDD7F12EBD5FDEF9D5C61D5F0E2256621D96DFB3
3700opensafezona.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.inibinary
MD5:9D5DEB1BE892190543E37D591ED9081F
SHA256:F14061E3D86A088CB18BE1A2FC9239ACCDF4117A24C6B642EE37509BE01AF508
3700opensafezona.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\README.txttext
MD5:02BF215E41EED5C0187A3D129F0EE3F1
SHA256:29194B3534DD1356455F840C2710B10C72383AEBF1B00258D212446F892500B6
3700opensafezona.exeC:\$Recycle.Bin\README.txttext
MD5:02BF215E41EED5C0187A3D129F0EE3F1
SHA256:29194B3534DD1356455F840C2710B10C72383AEBF1B00258D212446F892500B6
3700opensafezona.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\README.txttext
MD5:02BF215E41EED5C0187A3D129F0EE3F1
SHA256:29194B3534DD1356455F840C2710B10C72383AEBF1B00258D212446F892500B6
3700opensafezona.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
opensafezona