analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Bypass.pyc.zip

Full analysis: https://app.any.run/tasks/35eb4261-0485-4d80-9803-a7de19218572
Verdict: Malicious activity
Analysis date: November 29, 2020, 20:53:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6A0370C1AFACA13E12CA034EE29D39F5

SHA1:

E53271BAB595FC4A2F82515D89BAEE5C9302EC12

SHA256:

93FC22871341D68F1E2B5FAE82462AABE0410C6F132866EB53DFD1549989216B

SSDEEP:

96:KRGQNEKfSFZD2NGWkDinCWo5xw7JUJbdSwQZM1UU8ieW:KR9fSP91XE7JUDSsGW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 3028)
  • INFO

    • Manual execution by user

      • taskmgr.exe (PID: 3984)
      • WinRAR.exe (PID: 4068)
      • explorer.exe (PID: 2096)
      • explorer.exe (PID: 3144)
      • opera.exe (PID: 1852)
      • rundll32.exe (PID: 1236)
    • Creates files in the user directory

      • opera.exe (PID: 1852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Bypass.pyc
ZipUncompressedSize: 7293
ZipCompressedSize: 3949
ZipCRC: 0x21c621c4
ZipModifyDate: 2020:11:29 20:44:14
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
9
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs opera.exe taskmgr.exe no specs explorer.exe no specs Shell Security Editor no specs explorer.exe no specs winrar.exe no specs rundll32.exe no specs perfmon.exe

Process information

PID
CMD
Path
Indicators
Parent process
2392"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Bypass.pyc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1852"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
3984"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3144"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3028C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2096"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4068"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\AppData\Local\Temp\Bypass.pyc.zip" C:\Users\admin\AppData\Local\Temp\Bypass.pyc\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1236"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Bypass.pyc\Bypass.pycC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2016"C:\Windows\System32\perfmon.exe" /resC:\Windows\System32\perfmon.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Resource and Performance Monitor
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 120
Read events
977
Write events
101
Delete events
0

Modification events

(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Bypass.pyc.zip
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1852) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe
(PID) Process:(1852) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
48
Text files
36
Unknown types
16

Dropped files

PID
Process
Filename
Type
1852opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr3816.tmp
MD5:
SHA256:
1852opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr3846.tmp
MD5:
SHA256:
1852opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B8DYUYQ55T97TSRL0YX3.temp
MD5:
SHA256:
1852opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
1852opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprA0D4.tmp
MD5:
SHA256:
1852opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF1443ae.TMPbinary
MD5:2705C7592CB636F56CFD29AFC9E7C131
SHA256:4CA9E9F6504E75871CF3FB660A931A29770BB1A7197A9AEBBB8C60EBB166CAED
1852opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-msbinary
MD5:2705C7592CB636F56CFD29AFC9E7C131
SHA256:4CA9E9F6504E75871CF3FB660A931A29770BB1A7197A9AEBBB8C60EBB166CAED
1852opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:3AAD4246B9780BB5A6C7B41A1EF442A4
SHA256:E5B44ADA4BCE0EF4E5F389C6B386016C20F7C7A61C430C6F6CDFD925CDF42CE6
1852opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00004.tmpimage
MD5:D184488F6F062DE2EEC6226A8C519149
SHA256:570EE1040EA4DE19107B5042AE7D58C5B726C798811D4B283D7C780C5BA13691
1852opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:F0A19165F38140626C0050ED71F77BB3
SHA256:7561D677141E8F1F5BED43AC8B45C50E21E6A6CB9A7FF439141B82F1F35CD5C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1852
opera.exe
GET
301
204.79.197.212:80
http://hotmail.com/
US
whitelisted
1852
opera.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.30 Kb
whitelisted
1852
opera.exe
GET
400
185.26.182.93:80
http://sitecheck2.opera.com/?host=hotmail.com&hdn=3WZOdC6yvicI3TSBeeNDBw==
unknown
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1852
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
1852
opera.exe
172.217.22.46:80
clients1.google.com
Google Inc.
US
whitelisted
1852
opera.exe
185.26.182.112:80
sitecheck2.opera.com
Opera Software AS
malicious
1852
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1852
opera.exe
185.26.182.93:80
certs.opera.com
Opera Software AS
whitelisted
1852
opera.exe
204.79.197.212:80
hotmail.com
Microsoft Corporation
US
whitelisted
1852
opera.exe
13.107.42.11:443
outlook.live.com
Microsoft Corporation
US
whitelisted
1852
opera.exe
185.26.182.112:443
sitecheck2.opera.com
Opera Software AS
malicious
1852
opera.exe
95.101.185.171:443
uhf.microsoft.com
CW Vodafone Group PLC
unknown
1852
opera.exe
23.46.252.66:443
ow2.res.office365.com
Akamai Technologies, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 172.217.22.46
whitelisted
hotmail.com
  • 204.79.197.212
whitelisted
sitecheck2.opera.com
  • 185.26.182.112
  • 185.26.182.93
  • 185.26.182.111
  • 185.26.182.106
  • 185.26.182.118
  • 185.26.182.94
whitelisted
outlook.live.com
  • 13.107.42.11
whitelisted
ow2.res.office365.com
  • 23.46.252.66
whitelisted
uhf.microsoft.com
  • 95.101.185.171
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info