analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CVE-2020-0796-POC.zip

Full analysis: https://app.any.run/tasks/3da77243-6eb1-4814-b686-fe3a7bef07c0
Verdict: Malicious activity
Analysis date: March 31, 2020, 08:46:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B919BC31E56F584E11BC6620C912B0BD

SHA1:

503F87E3BD9B0F875182CEFD7AAA40910F81443F

SHA256:

95FD7245B23299876812A9C0EDC495BB77289A5455500250DA8C62D186D7925D

SSDEEP:

12288:IYUCdfXnDnI8abM9k72pb0Aa6YUPHEChk+glkGF1:IY7975uM9kJAaOkcqdP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3548)
      • CVE-2020-0796-POC.exe (PID: 3180)
      • CVE-2020-0796-POC.exe (PID: 2488)

    • Application was dropped or rewritten from another process

      • CVE-2020-0796-POC.exe (PID: 3180)
      • CVE-2020-0796-POC.exe (PID: 2488)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Manual execution by user

      • CVE-2020-0796-POC.exe (PID: 3180)
      • CVE-2020-0796-POC.exe (PID: 2488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: CVE-2020-0796-POC.exe
ZipUncompressedSize: 185344
ZipCompressedSize: 72474
ZipCRC: 0x1b38dfb7
ZipModifyDate: 2020:03:16 01:05:14
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs cve-2020-0796-poc.exe cve-2020-0796-poc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CVE-2020-0796-POC.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3548"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3180"C:\Users\admin\Desktop\CVE-2020-0796-POC.exe" C:\Users\admin\Desktop\CVE-2020-0796-POC.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Exit code:
3762504530
Version:
3.20.1.0
2488"C:\Users\admin\Desktop\CVE-2020-0796-POC.exe" C:\Users\admin\Desktop\CVE-2020-0796-POC.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Exit code:
3762504530
Version:
3.20.1.0
Total events
472
Read events
464
Write events
8
Delete events
0

Modification events

(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3328) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\CVE-2020-0796-POC.zip
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\CVE-2020-0796-POC.exe
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.Asn1Base.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.Compression.Xpress.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.FileAccessService.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.Messages.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.Security.CryptoLib.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.Security.Nlmp.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.Security.Sspi.dll
MD5:
SHA256:
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.26062\Microsoft.Protocols.TestTools.StackSdk.Transport.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CVE-2020-0796-POC.zip