File name:

maddisAsm_.zip

Full analysis: https://app.any.run/tasks/67a47ca6-efc8-4d6e-8638-369a3dfb3c67
Verdict: Malicious activity
Analysis date: June 19, 2024, 19:42:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

5260B97EBCEFF9DB455F1A501EC80479

SHA1:

A160598FCEC1A1813B8F30196B53C4E71F95A4D3

SHA256:

9BA7496463D47C72BC0A4B3B9AB4B58690E84A09E915D48273A22B3F627671D0

SSDEEP:

98304:i8F7nCH3QzJdwnRclIp695DrMPim0em8wBdYdpHXMnQG8mGm4xfeU6qFZn+Fbp51:HqXroqSO5TjPI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3344)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3344)

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3344)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 2940)

    • Reads the computer name

      • Setup.exe (PID: 2940)

    • Manual execution by a user

      • Setup.exe (PID: 2940)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:06:16 09:37:52
ZipCRC: 0x5f8a2afb
ZipCompressedSize: 6206345
ZipUncompressedSize: 6450610
ZipFileName: avenue.mkv
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Users\admin\Desktop\maddisAsm_\Setup.exe" C:\Users\admin\Desktop\maddisAsm_\Setup.exe
explorer.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
MEDIUM
Description:
DualSafe Password Manager
Exit code:
3221225477
Version:
1.4.0.3
Modules
Images
c:\users\admin\desktop\maddisasm_\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\maddisasm_\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3344"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\maddisAsm_.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 794
Read events
3 765
Write events
29
Delete events
0

Modification events

(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3344) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\maddisAsm_.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
30
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\avenue.mkv
MD5:
SHA256:
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\coalfish.apkbinary
MD5:BF7F0863F57EA0B64FAFE755EEDB0C7F
SHA256:1D8A03E11F7AA0FBA3A3B45586505A3069D42983AD7F117ACA0F1656305AC3FA
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\madbasic_.bplexecutable
MD5:E03A0056E75D3A5707BA199BC2EA701F
SHA256:7826395127E791A883359EA81308174700DA0AF8052CC9853B19FD29C2E4BADB
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\madexcept_.bplexecutable
MD5:98E59596EDD9B888D906C5409E515803
SHA256:A6CA13AF74A64E4AB5EBB2D12B757CECF1A683CB9CD0AE7906DB1B4B2C8A90C0
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\maddisAsm_.bplexecutable
MD5:EF3B47B2EA3884914C13C778FF29EB5B
SHA256:475F7CDFFD8ED4D6F52BD98AE2BB684F1C923A1BE2A692757A9AF788A39B1D87
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\rtl120.bplexecutable
MD5:C8A858F88ACFF0FE0819E6357B4ADB7D
SHA256:7C6C719FC45E1F7F474FB9D0E2DAE96FC7993B5771CD8E38A650BD4E28914A4F
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\vcruntime140.dllexecutable
MD5:81B11024A8ED0C9ADFD5FBF6916B133C
SHA256:EB6A3A491EFCC911F9DFF457D42FED85C4C170139414470EA951B0DAFE352829
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\x86\api-ms-win-core-util-l1-1-0.dllexecutable
MD5:C6553959AECD5BAC01C0673CFDF86B68
SHA256:68BD9C086D210EB14E78F00988BA88CEAF9056C8F10746AB024990F8512A2296
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\x86\api-ms-win-core-string-l1-1-0.dllexecutable
MD5:2E5C29FC652F432B89A1AFE187736C4D
SHA256:3807DB7ACF1B40C797E4D4C14A12C3806346AE56B25E205E600BE3E635C18D4F
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\x86\api-ms-win-core-synch-l1-2-0.dllexecutable
MD5:659E4FEBC208545A2E23C0C8B881A30D
SHA256:9AC63682E03D55A5D18405D336634AF080DD0003B565D12A39D6D71AAA989F48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2564
svchost.exe
239.255.255.250:3702
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
maddisAsm_.zip