File name:

maddisAsm_.zip

Full analysis: https://app.any.run/tasks/67a47ca6-efc8-4d6e-8638-369a3dfb3c67
Verdict: Malicious activity
Analysis date: June 19, 2024, 19:42:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

5260B97EBCEFF9DB455F1A501EC80479

SHA1:

A160598FCEC1A1813B8F30196B53C4E71F95A4D3

SHA256:

9BA7496463D47C72BC0A4B3B9AB4B58690E84A09E915D48273A22B3F627671D0

SSDEEP:

98304:i8F7nCH3QzJdwnRclIp695DrMPim0em8wBdYdpHXMnQG8mGm4xfeU6qFZn+Fbp51:HqXroqSO5TjPI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3344)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3344)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3344)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3344)

    • Checks supported languages

      • Setup.exe (PID: 2940)

    • Reads the computer name

      • Setup.exe (PID: 2940)

    • Manual execution by a user

      • Setup.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:06:16 09:37:52
ZipCRC: 0x5f8a2afb
ZipCompressedSize: 6206345
ZipUncompressedSize: 6450610
ZipFileName: avenue.mkv
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Users\admin\Desktop\maddisAsm_\Setup.exe" C:\Users\admin\Desktop\maddisAsm_\Setup.exe
explorer.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
MEDIUM
Description:
DualSafe Password Manager
Exit code:
3221225477
Version:
1.4.0.3
Modules
Images
c:\users\admin\desktop\maddisasm_\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\maddisasm_\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3344"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\maddisAsm_.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 794
Read events
3 765
Write events
29
Delete events
0

Modification events

(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3344) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\maddisAsm_.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
30
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\avenue.mkv
MD5:
SHA256:
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\Setup.exeexecutable
MD5:5D52EF45B6E5BF144307A84C2AF1581B
SHA256:26A24D3B0206C6808615C7049859C2FE62C4DCD87E7858BE40AE8112B0482616
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\madexcept_.bplexecutable
MD5:98E59596EDD9B888D906C5409E515803
SHA256:A6CA13AF74A64E4AB5EBB2D12B757CECF1A683CB9CD0AE7906DB1B4B2C8A90C0
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\madbasic_.bplexecutable
MD5:E03A0056E75D3A5707BA199BC2EA701F
SHA256:7826395127E791A883359EA81308174700DA0AF8052CC9853B19FD29C2E4BADB
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\vcl120.bplbinary
MD5:13A2734BB2249010514386EBC856B8DA
SHA256:713C21D009000D504D9BCF3CE95D50E74D3933083783DE144DB0A16E2425EBCC
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\rtl120.bplexecutable
MD5:C8A858F88ACFF0FE0819E6357B4ADB7D
SHA256:7C6C719FC45E1F7F474FB9D0E2DAE96FC7993B5771CD8E38A650BD4E28914A4F
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\updater\manager\ks_tyres.initext
MD5:47F6571C7884DA6C743551AC724186D4
SHA256:894D3C57598ECB22C769CC3EA8219859A95E22740E72394A474012EA2119B3D9
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\maddisAsm_.bplexecutable
MD5:EF3B47B2EA3884914C13C778FF29EB5B
SHA256:475F7CDFFD8ED4D6F52BD98AE2BB684F1C923A1BE2A692757A9AF788A39B1D87
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\vclx120.bplexecutable
MD5:3CB8F7606940C9B51C45EBAEB84AF728
SHA256:2FEEC33D1E3F3D69C717F4528B8F7F5C030CAAE6FB37C2100CB0B5341367D053
3344WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\vcruntime140.dllexecutable
MD5:81B11024A8ED0C9ADFD5FBF6916B133C
SHA256:EB6A3A491EFCC911F9DFF457D42FED85C4C170139414470EA951B0DAFE352829
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2564
svchost.exe
239.255.255.250:3702
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
maddisAsm_.zip