analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Coco_Z.rar

Full analysis: https://app.any.run/tasks/aa425cb7-5076-457a-a034-b096868bfcd3
Verdict: Malicious activity
Analysis date: July 13, 2020, 06:02:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

75BAD7CFAD8351A50814F85EE1FF5C89

SHA1:

19B078F0B92C03D23C7A333C4864E096D5726F18

SHA256:

907AA542FB87581AD730E74AA75FD4605E4B425A2A9186C12E2C1A2225C90AB2

SSDEEP:

196608:pRYJ3aiHJsjXXhVN9IaKPpF6yr7SIZB2IFBYs8hrvDN:pRYJ3ai2jBVT1SF5XSIn2I7ah9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3464)
      • Coco Z.exe (PID: 3264)

    • Application was dropped or rewritten from another process

      • Coco Z.exe (PID: 2668)
      • Coco Z.exe (PID: 3264)

    • Changes settings of System certificates

      • Coco Z.exe (PID: 3264)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2436)
      • Coco Z.exe (PID: 3264)

    • Reads Environment values

      • Coco Z.exe (PID: 3264)

    • Changes IE settings (feature browser emulation)

      • Coco Z.exe (PID: 3264)

    • Reads Internet Cache Settings

      • Coco Z.exe (PID: 3264)

    • Reads internet explorer settings

      • Coco Z.exe (PID: 3264)

    • Adds / modifies Windows certificates

      • Coco Z.exe (PID: 3264)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2436)

    • Manual execution by user

      • Coco Z.exe (PID: 3264)
      • Coco Z.exe (PID: 2668)

    • Reads settings of System Certificates

      • Coco Z.exe (PID: 3264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 93017
UncompressedSize: 330752
OperatingSystem: Win32
ModifyDate: 2020:06:28 10:37:22
PackingMethod: Normal
ArchivedFileName: Bunifu_UI_v1.5.3.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs coco z.exe no specs coco z.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Coco_Z.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3464"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2668"C:\Users\admin\Desktop\Coco Z\Coco Z.exe" C:\Users\admin\Desktop\Coco Z\Coco Z.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Coco Z (1st Generation)
Exit code:
3221226540
Version:
1.0.0.0
3264"C:\Users\admin\Desktop\Coco Z\Coco Z.exe" C:\Users\admin\Desktop\Coco Z\Coco Z.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Coco Z (1st Generation)
Version:
1.0.0.0
Total events
2 126
Read events
894
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
4
Text files
828
Unknown types
2

Dropped files

PID
Process
Filename
Type
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\ace\ext-emmet.jstext
MD5:3C62005FAC68141FC279C1527F826015
SHA256:A4EAFFA35FF2EC7157885FD555A08A187F777A185E42A4697E79DD610184AAF9
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\VisualStudioTabControl.dllexecutable
MD5:77D273BDA0F14E2B20B5FDF4DA74D720
SHA256:A3BFE807AFB619B886D8F10C43A96CA5AF2A36C0AA54BC46E77DE4EEDE27DC1A
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\Coco Z.exeexecutable
MD5:2C801A799F6928EDBF51DA43A524755B
SHA256:1C13DBD4B4F7BB9124B228AAAC528DB25C703FD90C04C0EF8B3B4BD9F453F7E5
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\ace\ext-prompt.jstext
MD5:CECC01470B7976001DA09DB61071140E
SHA256:C431C6977DB4DB4DC38164B58A757B91E6E19D16950F7DB6E20A1E1096E50F2F
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\Coco.dllexecutable
MD5:34B04AC8C9AE825BAA4B36FE9E2193D2
SHA256:C5C180727F2FDB31E8E75519227E0C0FA2F3787E01F3B1CF6A65A9188F6C0A02
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\ace\ext-keybinding_menu.jstext
MD5:B7117D7002875D2596342661685667B8
SHA256:547014D5037FF3697F716F8D4F977A3FA029C47D7B5E596D9232E85F77600862
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\ace\editor.htmlhtml
MD5:859244809FD63439BE261A727E61A792
SHA256:089E15ED2663A5A0E237EAEFAA5B7FBA9C204CC84DAE7A9F1EA869A229D06B17
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\ace\ext-options.jstext
MD5:8BE2ACB1704B3E42E9398C51F34C9C7E
SHA256:8DD0707FAD16212B98BEB02D960105C457B31255EF7BF09395ADA87FB9FEC51C
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\ace\ace.jstext
MD5:A17EA4028CCE563F3972D6CE555FDCE6
SHA256:0E82BF4C24525CF4AED5A3A7885B198FAAFF5908CE279E6EC1704C443B4BD1E1
2436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2436.3147\ace\ext-modelist.jstext
MD5:6FD20E95846DEADE86D1162F678CBA98
SHA256:81A9284AEA414802C190F2B50943992DAF149068C4C28BC8DD0519954712CC42
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3264
Coco Z.exe
GET
200
172.217.22.3:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3264
Coco Z.exe
GET
200
172.217.22.3:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDRWV%2BNyD7WkwIAAAAAbwew
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3264
Coco Z.exe
172.217.22.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3264
Coco Z.exe
162.159.129.233:443
cdn.discordapp.com
Cloudflare Inc
shared
3264
Coco Z.exe
104.28.13.51:443
pastebinp.com
Cloudflare Inc
US
unknown
3264
Coco Z.exe
216.58.206.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
pastebinp.com
  • 104.28.13.51
  • 172.67.131.46
  • 104.28.12.51
unknown
cdn.discordapp.com
  • 162.159.129.233
  • 162.159.133.233
  • 162.159.134.233
  • 162.159.135.233
  • 162.159.130.233
shared
fonts.googleapis.com
  • 216.58.206.10
whitelisted
ocsp.pki.goog
  • 172.217.22.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Coco_Z.rar