analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

soft.zip

Full analysis: https://app.any.run/tasks/71dd49d3-2024-4854-88ae-ee4de2a2ae52
Verdict: Malicious activity
Analysis date: November 30, 2020, 00:42:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

46BCD115D5CD7DDF16E110D98C412B8F

SHA1:

A7D40C473130F7D382130C8BF8E90BDD6331A5EF

SHA256:

984CEA30B2B4885258E9BE925283A0E4665A8D454992EB8655465E3929B38154

SSDEEP:

6144:1nVr9TELeBVT/a7FHHrN5HueRQ0hG6jCjBLqLnlReL4jiUKsahNqZLV:1l9TELSKtrN5OeRQF1jMlReLqiUKsaab

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3664)
      • soft.exe (PID: 1564)

    • Application was dropped or rewritten from another process

      • soft.exe (PID: 1564)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads settings of System Certificates

      • soft.exe (PID: 1564)

    • Manual execution by user

      • soft.exe (PID: 1564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Leaf.xNet.dll
ZipUncompressedSize: 132608
ZipCompressedSize: 53026
ZipCRC: 0x837a1795
ZipModifyDate: 2020:05:28 17:46:02
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs soft.exe

Process information

PID
CMD
Path
Indicators
Parent process
2476"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\soft.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3664"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1564"C:\Users\admin\Desktop\soft.exe" C:\Users\admin\Desktop\soft.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Youtube-Viewers
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\soft.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
2 792
Read events
2 715
Write events
76
Delete events
1

Modification events

(PID) Process:(2476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2476) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\soft.zip
(PID) Process:(2476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2476) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:@C:\Windows\System32\msxml3r.dll,-1
Value:
XML Document
(PID) Process:(3664) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
86
Text files
0
Unknown types
13

Dropped files

PID
Process
Filename
Type
2476WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\Leaf.xNet.dll
MD5:
SHA256:
2476WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\Leaf.xNet.xml
MD5:
SHA256:
2476WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\MyProxy_44300 HTTPS.txt
MD5:
SHA256:
2476WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\soft.exe
MD5:
SHA256:
1564soft.exeC:\Users\admin\AppData\Local\Temp\Cab6C9E.tmp
MD5:
SHA256:
1564soft.exeC:\Users\admin\AppData\Local\Temp\Tar6C9F.tmp
MD5:
SHA256:
1564soft.exeC:\Users\admin\AppData\Local\Temp\Cab6CBF.tmp
MD5:
SHA256:
1564soft.exeC:\Users\admin\AppData\Local\Temp\Tar6CC0.tmp
MD5:
SHA256:
1564soft.exeC:\Users\admin\AppData\Local\Temp\Cab6EB5.tmp
MD5:
SHA256:
1564soft.exeC:\Users\admin\AppData\Local\Temp\Tar6EB6.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5 029
TCP/UDP connections
7 214
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1564
soft.exe
CONNECT
103.123.246.66:8080
http://m.youtube.com:8080m.youtube.com:443
unknown
suspicious
1564
soft.exe
CONNECT
185.117.9.210:8080
http://m.youtube.com:8080m.youtube.com:443
IQ
unknown
1564
soft.exe
CONNECT
140.238.17.59:80
http://m.youtube.comm.youtube.com:443
US
suspicious
1564
soft.exe
CONNECT
182.71.146.148:8080
http://m.youtube.com:8080m.youtube.com:443
IN
suspicious
1564
soft.exe
CONNECT
103.112.163.245:8080
http://m.youtube.com:8080m.youtube.com:443
unknown
unknown
1564
soft.exe
CONNECT
163.43.108.114:8080
http://m.youtube.com:8080m.youtube.com:443
JP
unknown
1564
soft.exe
CONNECT
159.192.138.170:8080
http://m.youtube.com:8080m.youtube.com:443
TH
suspicious
1564
soft.exe
CONNECT
103.111.29.253:8080
http://m.youtube.com:8080m.youtube.com:443
unknown
suspicious
1564
soft.exe
CONNECT
103.4.145.237:8080
http://m.youtube.com:8080m.youtube.com:443
BD
suspicious
1564
soft.exe
CONNECT
103.134.213.50:8080
http://m.youtube.com:8080m.youtube.com:443
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1564
soft.exe
182.53.206.26:45336
TOT Public Company Limited
TH
suspicious
1564
soft.exe
103.134.213.50:8080
unknown
1564
soft.exe
117.204.253.137:8080
National Internet Backbone
IN
suspicious
1564
soft.exe
159.192.138.170:8080
CAT TELECOM Public Company Ltd,CAT
TH
suspicious
1564
soft.exe
167.99.154.98:3128
US
unknown
1564
soft.exe
183.89.64.243:8080
Triple T Internet/Triple T Broadband
TH
unknown
1564
soft.exe
103.89.159.5:8080
P.D.S. Server Network Pvt. Ltd.
NP
unknown
1564
soft.exe
140.238.17.59:80
Oracle Corporation
US
suspicious
1564
soft.exe
178.238.41.103:5836
Master Internet s.r.o.
CZ
unknown
1564
soft.exe
121.101.191.190:63141
PT. BORNEO BROADBAND TECHNOLOGY
ID
unknown

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 67.26.137.254
  • 67.27.235.126
  • 67.27.235.254
  • 8.253.204.121
  • 67.26.81.254
whitelisted
pki-sha2-adc.averydennison.net
unknown
pki-sha2-euc.averydennison.net
unknown

Threats

PID
Process
Class
Message
1564
soft.exe
Generic Protocol Command Decode
SURICATA STREAM suspected RST injection
1564
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
1564
soft.exe
Generic Protocol Command Decode
SURICATA STREAM suspected RST injection
1564
soft.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
1564
soft.exe
Generic Protocol Command Decode
SURICATA STREAM suspected RST injection
1564
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
1564
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
1564
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
1564
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
1564
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
soft.zip