analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2C17286A718EB4CE665F0DF4A4FF89E33F1DD226C82909CAF18DC725D75DE4CD.zip

Full analysis: https://app.any.run/tasks/73bc2491-4980-4164-88ab-f99c8a49d0b6
Verdict: Malicious activity
Analysis date: December 06, 2019, 18:01:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EE7FB9E1ED23D48452212AAECDE60B1A

SHA1:

A04C5256F20FD7EDAE1F96513AD8F29A3469D35A

SHA256:

8924EBA4A59C5A3A590AE3F5C5B6F43BE5CCF35B10985EFC58767305C3060FC5

SSDEEP:

12288:8E/59fZqYtH6GciFno9iZFw5dsLw1urDMDqsY9BvkInOH+G:8E//RqmH6mcgFodsLwU1FOeG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • a.exe (PID: 3328)
      • a.exe (PID: 2484)
      • GetVer.exe (PID: 3372)
      • GetVer.exe (PID: 1252)

    • Changes the autorun value in the registry

      • a.exe (PID: 3328)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • cmd.exe (PID: 2752)

    • Starts CMD.EXE for commands execution

      • a.exe (PID: 3328)
      • cmd.exe (PID: 2752)

    • Application launched itself

      • cmd.exe (PID: 2752)

    • Executable content was dropped or overwritten

      • a.exe (PID: 3328)
      • cmd.exe (PID: 2752)

  • INFO

    • Manual execution by user

      • a.exe (PID: 2484)
      • a.exe (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 2C17286A718EB4CE665F0DF4A4FF89E33F1DD226C82909CAF18DC725D75DE4CD
ZipUncompressedSize: 784384
ZipCompressedSize: 745013
ZipCRC: 0xbbd9b263
ZipModifyDate: 2019:12:05 16:06:26
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs a.exe no specs a.exe cmd.exe cmd.exe no specs cmd.exe no specs getver.exe no specs getver.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2C17286A718EB4CE665F0DF4A4FF89E33F1DD226C82909CAF18DC725D75DE4CD.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2484"C:\Users\admin\Desktop\a.exe" C:\Users\admin\Desktop\a.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MPS Reporting Tool for Setup and Performance Support
Exit code:
3221226540
Version:
5.2.2004.1
3328"C:\Users\admin\Desktop\a.exe" C:\Users\admin\Desktop\a.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
MPS Reporting Tool for Setup and Performance Support
Exit code:
0
Version:
5.2.2004.1
2752cmd /c C:\Users\admin\AppData\Local\Temp\IXP000.TMP\MPSRPT.CMDC:\Windows\system32\cmd.exe
a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
255
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4052C:\Windows\system32\cmd.exe /c time /tC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2912C:\Windows\system32\cmd.exe /c date /tC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1252C:\Windows\MPSReports\Setup\Bin\GETVER.EXE C:\Windows\MPSReports\Setup\Bin\GetVer.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
61
3372C:\Windows\MPSReports\Setup\Bin\GETVER.EXEC:\Windows\MPSReports\Setup\Bin\GetVer.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
61
Total events
462
Read events
440
Write events
0
Delete events
0

Modification events

No data
Executable files
58
Suspicious files
0
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb436.32231\2C17286A718EB4CE665F0DF4A4FF89E33F1DD226C82909CAF18DC725D75DE4CD
MD5:
SHA256:
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\diskmap.exeexecutable
MD5:30A60EEF6571271C5A17540056612B98
SHA256:902FDC84518135B613428B7DDA7B71E333973CDB6CEC19C344E585CA1A0C4900
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Finish.cmdtext
MD5:E00D8B6B4FE1D99B3889247EA223654E
SHA256:86ABA7A34287E4FB21E788C230FDF181B5471786A534B92CE889B0F222157F88
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\EULA.TXTtext
MD5:D16BB91F671264BB90213EBFA7089D40
SHA256:B2D7C146627837B8A3CE28F613F627DF1E3CCB96C2F37D26979BC60EE36C2EA4
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\DumpEVT.exeexecutable
MD5:50DE93016C93129D98E2FE4C9DA20018
SHA256:84CF888C8101F891C41DF936DADCEF559EC566DB305160C1B71F887954B70669
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\DUMPEL.EXEexecutable
MD5:C7EB15A205C80BF45347C76B75D1ECE8
SHA256:6EE872BC3FBEF9F59E74D5E050BC06DE3463DEB57B862946DB464FC34097D4EC
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\XP.cmdtext
MD5:9DA93CFC4C39972EC0A3F1C05D55AA01
SHA256:BB27F687B0D469DE5FE0A6F0E6F141A8788357EA555468285C447888F8ED7268
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dmdiagnet.exeexecutable
MD5:53A036D010A1EB63B229617AF943D659
SHA256:9EA2099682D5818E9EF3369ACBCA93C7C7F071A94D6D27EEC18D41B7C0CE2F39
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dmdiag.exeexecutable
MD5:2F742F5B5F937003D6B8B3591FAE1BCB
SHA256:214B108EFF0AB41211550B17678F0AE55B1A49D9A5A957A72B008C2D94851761
3328a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\CheckSym.exeexecutable
MD5:AC9962CB23CA370B8C7183890FA50B46
SHA256:3E5E35F3CDEAF9E993479C3611DC8622291D72FEBA66C3161A1C871B40E3FFCF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2C17286A718EB4CE665F0DF4A4FF89E33F1DD226C82909CAF18DC725D75DE4CD.zip