analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

31aee6c1c0d6c249ea2a0a603af877abcd11f41338b2a50b1c80c42eef1faad1.zip

Full analysis: https://app.any.run/tasks/33c9b20f-22e7-484d-a4ef-12f719f5e4c5
Verdict: Malicious activity
Analysis date: April 15, 2019, 14:23:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5824D9BCA207846326BAA081A8B11330

SHA1:

AC68CDFC9AFBF7AF815170DFA0A4812D89B65B9A

SHA256:

9A9A0D9E06C410FBB11982DAAF1B51295E93C879EDEB35058FFF3B485F363C5C

SSDEEP:

24:ATLvQCXFe/ff1OJEzU3+Mu+blC21LrnXDhmJ8U7pQJPrmdQBTVLuOwwmuQTZhlt:ALvQ7/UJ8U3yH2hYJxOPadMTZpUZzt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • consent.exe (PID: 3564)
      • explorer.exe (PID: 2044)
      • svchost.exe (PID: 848)
      • SearchProtocolHost.exe (PID: 3216)
    • Runs app for hidden code execution

      • explorer.exe (PID: 2044)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 2044)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 1040)
    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 2044)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 31aee6c1c0d6c249ea2a0a603af877abcd11f41338b2a50b1c80c42eef1faad1.bin
ZipUncompressedSize: 3584
ZipCompressedSize: 1206
ZipCRC: 0x0e81caa9
ZipModifyDate: 2019:04:15 14:23:11
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs explorer.exe svchost.exe consent.exe no specs cmd.exe no specs cmd.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2432"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\31aee6c1c0d6c249ea2a0a603af877abcd11f41338b2a50b1c80c42eef1faad1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3216"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2044C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
848C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3564consent.exe 848 624 01C51B18C:\Windows\system32\consent.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Consent UI for administrative applications
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1448"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1040"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2148rundll32.exe 31aee6c1c0d6c249ea2a0a603af877abcd11f41338b2a50b1c80c42eef1faad1.exeC:\Windows\system32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 031
Read events
2 517
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2432WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2432.26211\31aee6c1c0d6c249ea2a0a603af877abcd11f41338b2a50b1c80c42eef1faad1.bin
MD5:
SHA256:
848svchost.exeC:\Windows\SoftwareDistribution\DataStore\DataStore.edb
MD5:
SHA256:
848svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
MD5:
SHA256:
2044explorer.exeC:\Users\admin\Desktop\31aee6c1c0d6c249ea2a0a603af877abcd11f41338b2a50b1c80c42eef1faad1.binexecutable
MD5:C52464E9DF8B3D08FC612A0F11FE53B2
SHA256:31AEE6C1C0D6C249EA2A0A603AF877ABCD11F41338B2A50B1C80C42EEF1FAAD1
848svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:27BFFD90E081DEE316ABE45AFDD62629
SHA256:AD9A31DB4A3C7D160B4770098DC531F65AC55B101BD5C987FC132A09BCE51C7F
848svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb.chkbinary
MD5:D99510032CD9A6BED2309046F3665BF1
SHA256:6A5336350C134297B53F83354E79C59E48153A8DE92029692A95DB40C4C22504
2044explorer.exeC:\Users\admin\Desktop\31aee6c1c0d6c249ea2a0a603af877abcd11f41338b2a50b1c80c42eef1faad1.exeexecutable
MD5:C52464E9DF8B3D08FC612A0F11FE53B2
SHA256:31AEE6C1C0D6C249EA2A0A603AF877ABCD11F41338B2A50B1C80C42EEF1FAAD1
848svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edb.logbinary
MD5:B2697F6D394F95DE3DAF30B13DDF7F50
SHA256:7FCEA90D9A5D413BE4FB3474B67D2A0DA40A8C6E785A6A4EDC96EE3A48E98BFF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info