| File name: | 21590684287.zip |
| Full analysis: | https://app.any.run/tasks/617ce49b-081d-4956-9b0a-16e9ba726eb7 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 24, 2025, 18:47:19 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | B05AB76569CD9D169E273335CEB6ACD6 |
| SHA1: | 7D8AD6652F5360FA71588E417EAF7F1BDA6D99A4 |
| SHA256: | 8EEC4BB537EC21EC13F3547B7AEE72AA61AC6D369953587347DED3796ADBDC04 |
| SSDEEP: | 384:jDNTS5WkhcJwJyjFXNYy+fiK5/mUs/zac8upqx+PzgLUGdhZ80yxi:jpO5AwYYy+5w/2c8ucxjdT80yxi |
MALICIOUS
Changes the autorun value in the registry
- a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe (PID: 3664)
Actions looks like stealing of personal data
- findstr.exe (PID: 2976)
- winmgmt.exe (PID: 3276)
- cmd.exe (PID: 3228)
Starts NET.EXE to view/change users localgroup
- cmd.exe (PID: 3228)
- net.exe (PID: 3128)
Starts NET.EXE to view/add/change user profiles
- net.exe (PID: 3336)
- cmd.exe (PID: 3228)
Starts NET.EXE for service management
- cmd.exe (PID: 3228)
- net.exe (PID: 1820)
Starts NET.EXE to view/change shared resources
- cmd.exe (PID: 3228)
- net.exe (PID: 3588)
Changes appearance of the Explorer extensions
- winmgmt.exe (PID: 3276)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 2624)
Creates file in the systems drive root
- WinRAR.exe (PID: 2624)
- a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe (PID: 3664)
- cmd.exe (PID: 3228)
- ntvdm.exe (PID: 3264)
Uses RUNDLL32.EXE to load library
- WinRAR.exe (PID: 2624)
Application launched itself
- WinRAR.exe (PID: 2624)
- cmd.exe (PID: 3228)
Starts itself from another location
- a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe (PID: 3664)
Executable content was dropped or overwritten
- dllhost.exe (PID: 2860)
- a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe (PID: 3664)
Starts CMD.EXE for commands execution
- winmgmt.exe (PID: 3276)
- NETSTAT.EXE (PID: 1608)
- cmd.exe (PID: 3228)
Executing commands from a ".bat" file
- winmgmt.exe (PID: 3276)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 3228)
Starts application with an unusual extension
- cmd.exe (PID: 3228)
Get information on the list of running processes
- cmd.exe (PID: 3228)
Uses ROUTE.EXE to obtain the routing table information
- cmd.exe (PID: 1236)
Process uses IPCONFIG to discover network configuration
- cmd.exe (PID: 3228)
Process uses ARP to discover network configuration
- cmd.exe (PID: 3228)
Uses SYSTEMINFO.EXE to read the environment
- cmd.exe (PID: 3228)
Starts NET.EXE to map network drives
- cmd.exe (PID: 3228)
Gets the drive type (SCRIPT)
- cscript.exe (PID: 2504)
Starts NET.EXE for network exploration
- cmd.exe (PID: 3228)
The process executes VB scripts
- cmd.exe (PID: 3228)
Creates FileSystem object to access computer's file system (SCRIPT)
- cscript.exe (PID: 2504)
Gets a collection of all available drive names (SCRIPT)
- cscript.exe (PID: 2504)
Process uses NBTSTAT to discover network configuration
- cmd.exe (PID: 3228)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2624)
- WinRAR.exe (PID: 2096)
Manual execution by a user
- explorer.exe (PID: 1460)
- a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe (PID: 3664)
Creates files in the program directory
- a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe (PID: 3664)
Checks supported languages
- winmgmt.exe (PID: 3276)
- a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe (PID: 3664)
- chcp.com (PID: 3040)
Create files in a temporary directory
- winmgmt.exe (PID: 3276)
Reads the computer name
- winmgmt.exe (PID: 3276)
Changes the display of characters in the console
- cmd.exe (PID: 3228)
Reads security settings of Internet Explorer
- cscript.exe (PID: 2504)
Prints a route via ROUTE.EXE
- ROUTE.EXE (PID: 756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x4e79888d |
| ZipCompressedSize: | 17243 |
| ZipUncompressedSize: | 90112 |
| ZipFileName: | a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc |
Total processes
104
Monitored processes
54
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 656 | C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\admin\AppData\Local\Temp\t.log " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 692 | net use | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 756 | C:\Windows\system32\route.exe print | C:\Windows\System32\ROUTE.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 904 | reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1236 | C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print | C:\Windows\System32\cmd.exe | — | NETSTAT.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1372 | C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\admin\AppData\Local\Temp\t.log " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1408 | C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\admin\AppData\Local\Temp\s.log " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1460 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1608 | netstat -r | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1612 | find /i /v "¬A╛╣" | C:\Windows\System32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 666
Read events
4 577
Write events
64
Delete events
25
Modification events
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\21590684287.zip | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2624) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
5
Suspicious files
2
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2096 | WinRAR.exe | C:\a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc | executable | |
MD5:07A6E1B4545869F820D2D974FE975DF1 | SHA256:A00AEF230D4CAE1F163A4B930A40748EFAAF41F0FF8EE0B9DA8309680F39CEFC | |||
| 2860 | dllhost.exe | C:\a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe | executable | |
MD5:07A6E1B4545869F820D2D974FE975DF1 | SHA256:A00AEF230D4CAE1F163A4B930A40748EFAAF41F0FF8EE0B9DA8309680F39CEFC | |||
| 3664 | a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc.exe | C:\ProgramData\winmgmt.exe | executable | |
MD5:07A6E1B4545869F820D2D974FE975DF1 | SHA256:A00AEF230D4CAE1F163A4B930A40748EFAAF41F0FF8EE0B9DA8309680F39CEFC | |||
| 3276 | winmgmt.exe | C:\Users\admin\AppData\Local\Temp\L4SD\15F6949E.db | binary | |
MD5:180228D9ED81A44AF89CE05C6E095A7A | SHA256:D971E8FD5E6FAD13912FCB2078E889EB3DFBA5B48C41971E92A55D5FDF5E6533 | |||
| 2624 | WinRAR.exe | C:\Users\admin\Desktop\a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc | executable | |
MD5:07A6E1B4545869F820D2D974FE975DF1 | SHA256:A00AEF230D4CAE1F163A4B930A40748EFAAF41F0FF8EE0B9DA8309680F39CEFC | |||
| 2624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2624.45630\a00aef230d4cae1f163a4b930a40748efaaf41f0ff8ee0b9da8309680f39cefc | executable | |
MD5:07A6E1B4545869F820D2D974FE975DF1 | SHA256:A00AEF230D4CAE1F163A4B930A40748EFAAF41F0FF8EE0B9DA8309680F39CEFC | |||
| 3264 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs693C.tmp | text | |
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B | SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD | |||
| 3264 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs691B.tmp | text | |
MD5:8CF6DDB5AA59B49F34B967CD46F013B6 | SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C | |||
| 3276 | winmgmt.exe | C:\Users\admin\AppData\Local\Temp\ghi.bat | text | |
MD5:E0B2EC9E69574D9461038FF85711F08C | SHA256:0B5B66BBEE4526C3291966794024C9EAF548001F42E0CB09EA0FA22D6D702B29 | |||
| 3276 | winmgmt.exe | C:\Users\admin\AppData\Local\Temp\avp.exe | binary | |
MD5:CDF76A843084FA2F9A953DB3F606B201 | SHA256:ECCA1BD8B2DE16395531F12E5AFD5293DB6C9BC20F17694E03ACE9C6F5BEB8B1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
windowsupdate.microsoft.com |
| whitelisted |