File name:

maddisAsm_.zip

Full analysis: https://app.any.run/tasks/67fb316b-ee2c-4217-8914-1e888f9994a7
Verdict: Malicious activity
Analysis date: June 19, 2024, 19:45:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

5260B97EBCEFF9DB455F1A501EC80479

SHA1:

A160598FCEC1A1813B8F30196B53C4E71F95A4D3

SHA256:

9BA7496463D47C72BC0A4B3B9AB4B58690E84A09E915D48273A22B3F627671D0

SSDEEP:

98304:i8F7nCH3QzJdwnRclIp695DrMPim0em8wBdYdpHXMnQG8mGm4xfeU6qFZn+Fbp51:HqXroqSO5TjPI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3416)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3416)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3416)

    • Starts a Microsoft application from unusual location

      • VSLauncher_[0MB]_[1].exe (PID: 3132)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 3200)
      • HDHelper_[0MB]_[1].exe (PID: 3852)
      • VSLauncher_[0MB]_[1].exe (PID: 3132)
      • NvStereoUtilityOGL_[1MB]_[1].exe (PID: 964)
      • vlc.exe (PID: 3988)

    • Reads the computer name

      • Setup.exe (PID: 3200)
      • vlc.exe (PID: 3988)

    • Manual execution by a user

      • Setup.exe (PID: 3200)
      • HDHelper_[0MB]_[1].exe (PID: 3852)
      • VSLauncher_[0MB]_[1].exe (PID: 3132)
      • NvStereoUtilityOGL_[1MB]_[1].exe (PID: 964)
      • vlc.exe (PID: 3988)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3416)

    • Create files in a temporary directory

      • HDHelper_[0MB]_[1].exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:06:16 09:37:52
ZipCRC: 0x5f8a2afb
ZipCompressedSize: 6206345
ZipUncompressedSize: 6450610
ZipFileName: avenue.mkv
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setup.exe hdhelper_[0mb]_[1].exe no specs vslauncher_[0mb]_[1].exe no specs nvstereoutilityogl_[1mb]_[1].exe vlc.exe

Process information

PID
CMD
Path
Indicators
Parent process
964"C:\Users\admin\Desktop\maddisAsm_\x86\NvStereoUtilityOGL_[1MB]_[1].exe" C:\Users\admin\Desktop\maddisAsm_\x86\NvStereoUtilityOGL_[1MB]_[1].exe
explorer.exe
User:
admin
Company:
NVIDIA Corporation
Integrity Level:
MEDIUM
Description:
OpenGL Stereo Sample
Exit code:
3221225477
Version:
1, 2, 2, 0
Modules
Images
c:\users\admin\desktop\maddisasm_\x86\nvstereoutilityogl_[1mb]_[1].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3132"C:\Users\admin\Desktop\maddisAsm_\x86\VSLauncher_[0MB]_[1].exe" C:\Users\admin\Desktop\maddisAsm_\x86\VSLauncher_[0MB]_[1].exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual Studio Version Selector
Exit code:
4294967295
Version:
17.0.34205.65 built by: CBA-1005_101930_1
Modules
Images
c:\users\admin\desktop\maddisasm_\x86\vslauncher_[0mb]_[1].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3200"C:\Users\admin\Desktop\maddisAsm_\Setup.exe" C:\Users\admin\Desktop\maddisAsm_\Setup.exe
explorer.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
MEDIUM
Description:
DualSafe Password Manager
Exit code:
3221225477
Version:
1.4.0.3
Modules
Images
c:\users\admin\desktop\maddisasm_\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\maddisasm_\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3416"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\maddisAsm_.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3852"C:\Users\admin\Desktop\maddisAsm_\x86\HDHelper_[0MB]_[1].exe" C:\Users\admin\Desktop\maddisAsm_\x86\HDHelper_[0MB]_[1].exeexplorer.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
HD Helper
Exit code:
4294967295
Version:
5.9.0.372
Modules
Images
c:\users\admin\desktop\maddisasm_\x86\hdhelper_[0mb]_[1].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3988"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\Desktop\maddisAsm_\avenue.mkv"C:\Program Files\VideoLAN\VLC\vlc.exe
explorer.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
0
Version:
3.0.11
Modules
Images
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
9 120
Read events
9 102
Write events
18
Delete events
0

Modification events

(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3416) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\maddisAsm_.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
31
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\avenue.mkv
MD5:
SHA256:
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\vcruntime140.dllexecutable
MD5:81B11024A8ED0C9ADFD5FBF6916B133C
SHA256:EB6A3A491EFCC911F9DFF457D42FED85C4C170139414470EA951B0DAFE352829
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\vclx120.bplexecutable
MD5:3CB8F7606940C9B51C45EBAEB84AF728
SHA256:2FEEC33D1E3F3D69C717F4528B8F7F5C030CAAE6FB37C2100CB0B5341367D053
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\rtl120.bplexecutable
MD5:C8A858F88ACFF0FE0819E6357B4ADB7D
SHA256:7C6C719FC45E1F7F474FB9D0E2DAE96FC7993B5771CD8E38A650BD4E28914A4F
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\Setup.exeexecutable
MD5:5D52EF45B6E5BF144307A84C2AF1581B
SHA256:26A24D3B0206C6808615C7049859C2FE62C4DCD87E7858BE40AE8112B0482616
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\maddisAsm_.bplexecutable
MD5:EF3B47B2EA3884914C13C778FF29EB5B
SHA256:475F7CDFFD8ED4D6F52BD98AE2BB684F1C923A1BE2A692757A9AF788A39B1D87
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\madbasic_.bplexecutable
MD5:E03A0056E75D3A5707BA199BC2EA701F
SHA256:7826395127E791A883359EA81308174700DA0AF8052CC9853B19FD29C2E4BADB
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\updater\manager\ks_tyres.initext
MD5:47F6571C7884DA6C743551AC724186D4
SHA256:894D3C57598ECB22C769CC3EA8219859A95E22740E72394A474012EA2119B3D9
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\madexcept_.bplexecutable
MD5:98E59596EDD9B888D906C5409E515803
SHA256:A6CA13AF74A64E4AB5EBB2D12B757CECF1A683CB9CD0AE7906DB1B4B2C8A90C0
3416WinRAR.exeC:\Users\admin\Desktop\maddisAsm_\vcruntime140_app.dllexecutable
MD5:C0F29BD3B0EB4D8795D609A0C52E0926
SHA256:813A447192C4FA7D25D0716B769399546F8BF6B31269DD8AD47F9812008D79E6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.36.163.30:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
23.36.163.20:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
239.255.255.250:3702
unknown
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.36.163.30:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 23.36.163.30
  • 23.36.163.20
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
watson.microsoft.com
  • 104.208.16.93
whitelisted

Threats

No threats detected
Process
Message
vlc.exe
main libvlc debug: revision 3.0.11-0-gdc0c5ced72
vlc.exe
main libvlc debug: Copyright © 1996-2020 the VideoLAN team
vlc.exe
main libvlc debug: using multimedia timers as clock source
vlc.exe
main libvlc debug: VLC media player - 3.0.11 Vetinari
vlc.exe
main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
vlc.exe
main libvlc debug: min period: 1 ms, max period: 1000000 ms
vlc.exe
main libvlc debug: searching plug-in modules
vlc.exe
main libvlc error: stale plugins cache: modified C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll
vlc.exe
main libvlc error: stale plugins cache: modified C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll
vlc.exe
main libvlc error: stale plugins cache: modified C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
maddisAsm_.zip