analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

soft.zip

Full analysis: https://app.any.run/tasks/f9601416-e771-4135-b1d4-ade7ce513154
Verdict: Malicious activity
Analysis date: November 30, 2020, 00:39:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

46BCD115D5CD7DDF16E110D98C412B8F

SHA1:

A7D40C473130F7D382130C8BF8E90BDD6331A5EF

SHA256:

984CEA30B2B4885258E9BE925283A0E4665A8D454992EB8655465E3929B38154

SSDEEP:

6144:1nVr9TELeBVT/a7FHHrN5HueRQ0hG6jCjBLqLnlReL4jiUKsahNqZLV:1l9TELSKtrN5OeRQF1jMlReLqiUKsaab

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • soft.exe (PID: 3324)

    • Loads dropped or rewritten executable

      • soft.exe (PID: 3324)
      • SearchProtocolHost.exe (PID: 3448)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads settings of System Certificates

      • soft.exe (PID: 3324)

    • Manual execution by user

      • soft.exe (PID: 3324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:05:28 17:46:02
ZipCRC: 0x837a1795
ZipCompressedSize: 53026
ZipUncompressedSize: 132608
ZipFileName: Leaf.xNet.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs soft.exe

Process information

PID
CMD
Path
Indicators
Parent process
1252"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\soft.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3448"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3324"C:\Users\admin\Desktop\soft.exe" C:\Users\admin\Desktop\soft.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Youtube-Viewers
Exit code:
3221225786
Version:
1.0.0.0
Total events
1 001
Read events
924
Write events
76
Delete events
1

Modification events

(PID) Process:(1252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1252) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\soft.zip
(PID) Process:(1252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1252) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:@C:\Windows\System32\msxml3r.dll,-1
Value:
XML Document
(PID) Process:(3448) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1252.13253\Leaf.xNet.dll
MD5:
SHA256:
1252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1252.13253\Leaf.xNet.xml
MD5:
SHA256:
1252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1252.13253\MyProxy_44300 HTTPS.txt
MD5:
SHA256:
1252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1252.13253\soft.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
719
TCP/UDP connections
1 680
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3324
soft.exe
CONNECT
103.89.159.5:8080
http://m.youtube.com:8080m.youtube.com:443
NP
unknown
3324
soft.exe
CONNECT
182.71.146.148:8080
http://m.youtube.com:8080m.youtube.com:443
IN
suspicious
3324
soft.exe
CONNECT
143.137.204.6:80
http://m.youtube.comm.youtube.com:443
BR
suspicious
3324
soft.exe
CONNECT
163.43.108.114:8080
http://m.youtube.com:8080m.youtube.com:443
JP
unknown
3324
soft.exe
CONNECT
103.134.213.50:8080
http://m.youtube.com:8080m.youtube.com:443
unknown
unknown
3324
soft.exe
CONNECT
117.204.253.137:8080
http://m.youtube.com:8080m.youtube.com:443
IN
suspicious
3324
soft.exe
CONNECT
186.47.82.138:8080
http://m.youtube.com:8080m.youtube.com:443
EC
unknown
3324
soft.exe
CONNECT
176.113.225.69:8080
http://m.youtube.com:8080m.youtube.com:443
UA
unknown
3324
soft.exe
CONNECT
185.117.9.210:8080
http://m.youtube.com:8080m.youtube.com:443
IQ
unknown
3324
soft.exe
CONNECT
165.16.77.49:8080
http://m.youtube.com:8080m.youtube.com:443
LY
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3324
soft.exe
182.53.206.26:45336
TOT Public Company Limited
TH
suspicious
3324
soft.exe
111.93.59.130:3129
Tata Teleservices ISP AS
IN
unknown
3324
soft.exe
103.78.213.226:45163
ID
suspicious
3324
soft.exe
190.6.200.158:38256
CABLECOLOR S.A.
HN
suspicious
3324
soft.exe
121.101.191.190:63141
PT. BORNEO BROADBAND TECHNOLOGY
ID
unknown
3324
soft.exe
103.4.145.237:8080
Next Online Limited
BD
suspicious
3324
soft.exe
103.123.246.66:8080
suspicious
3324
soft.exe
118.96.150.115:8080
PT Telekomunikasi Indonesia
ID
unknown
3324
soft.exe
14.98.195.90:55207
IN
suspicious
3324
soft.exe
138.219.251.5:3128
Coop de Prov.Serv.Telef.Obras y Serv Púb y Soc Virrey del Pino Ltda
AR
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
3324
soft.exe
Generic Protocol Command Decode
SURICATA STREAM suspected RST injection
3324
soft.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
3324
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
3324
soft.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
soft.zip