analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5791987283197952.zip

Full analysis: https://app.any.run/tasks/5459cbe5-2934-4051-8dee-0885f372792d
Verdict: Malicious activity
Analysis date: September 10, 2019, 22:58:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

92841522C70624EB2E409629216DA9DF

SHA1:

FF5584187CF1D6C22877129B20070E3273521FF9

SHA256:

9C38A1A0D529AE7DD8C01C7D3AAFF9C97D9D205853A7F931B6FE9D10DC8E2BAF

SSDEEP:

384:eSEOYkllzu+t5SKG9TJADPv5xDkXFH+Np4ynea16ArPmYknuhd:eSEpCzuiY9xXFHqp4E16IMuH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe (PID: 3380)
      • ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe (PID: 3820)
      • b2e.exe (PID: 2644)
      • b2e.exe (PID: 2532)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2880)
      • ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe (PID: 3380)
      • ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe (PID: 3820)
    • Starts CMD.EXE for commands execution

      • b2e.exe (PID: 2644)
      • b2e.exe (PID: 2532)
  • INFO

    • Manual execution by user

      • rundll32.exe (PID: 3364)
      • ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe (PID: 3380)
      • ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe (PID: 3820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea
ZipUncompressedSize: 32768
ZipCompressedSize: 17312
ZipCRC: 0x00000000
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
10
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe rundll32.exe no specs ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe b2e.exe no specs cmd.exe no specs cmd.exe no specs ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe b2e.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\5791987283197952.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3364"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beeaC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3380"C:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe" C:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
8851
2644"C:\Users\admin\AppData\Local\Temp\2F.tmp\b2e.exe" C:\Users\admin\AppData\Local\Temp\2F.tmp\b2e.exe C:\Users\admin\Desktop\5791987283197952 "C:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe" C:\Users\admin\AppData\Local\Temp\2F.tmp\b2e.exeebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3836cmd /c ""C:\Users\admin\AppData\Local\Temp\EA.tmp\batfile.bat" "C:\Windows\system32\cmd.exeb2e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2492cmd /c ""C:\Users\admin\AppData\Local\Temp\selfdel0.bat" "C:\Windows\system32\cmd.exeb2e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3820"C:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe" C:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
8851
2532"C:\Users\admin\AppData\Local\Temp\5B7E.tmp\b2e.exe" C:\Users\admin\AppData\Local\Temp\5B7E.tmp\b2e.exe C:\Users\admin\Desktop\5791987283197952 "C:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe" C:\Users\admin\AppData\Local\Temp\5B7E.tmp\b2e.exeebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1456cmd /c ""C:\Users\admin\AppData\Local\Temp\5C1A.tmp\batfile.bat" "C:\Windows\system32\cmd.exeb2e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
356cmd /c ""C:\Users\admin\AppData\Local\Temp\selfdel0.bat" "C:\Windows\system32\cmd.exeb2e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 342
Read events
1 304
Write events
38
Delete events
0

Modification events

(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2880) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\5791987283197952.zip
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop\5791987283197952
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2644b2e.exeC:\Users\admin\AppData\Local\Temp\selfdel0.bat
MD5:
SHA256:
2644b2e.exeC:\Users\admin\AppData\Local\Temp\EA.tmp\batfile.battext
MD5:752C4F4852843AA528E5576D9A3A7449
SHA256:6F84BFBFA5CB42CC1333D13414493C303F1E816ADC9888E553B46CD0EED9895D
2532b2e.exeC:\Users\admin\AppData\Local\Temp\5C1A.tmp\batfile.battext
MD5:752C4F4852843AA528E5576D9A3A7449
SHA256:6F84BFBFA5CB42CC1333D13414493C303F1E816ADC9888E553B46CD0EED9895D
3380ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exeC:\Users\admin\AppData\Local\Temp\2F.tmp\b2e.exeexecutable
MD5:9E695749B855B6161976D8076399B309
SHA256:31E2A8F9155FC9A6BDB3EB31632D54601C6F3F41FC158418458F486CBDD9AB9E
2532b2e.exeC:\Users\admin\AppData\Local\Temp\selfdel0.battext
MD5:E92F809CEC9A4B2B9BBC35A763E61673
SHA256:3AE6EABE0AA6732F93AD23886B5BA33300BE4F8C50355B56EB166EB65E5C57A3
3820ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beea.exeC:\Users\admin\AppData\Local\Temp\5B7E.tmp\b2e.exeexecutable
MD5:9E695749B855B6161976D8076399B309
SHA256:31E2A8F9155FC9A6BDB3EB31632D54601C6F3F41FC158418458F486CBDD9AB9E
2880WinRAR.exeC:\Users\admin\Desktop\5791987283197952\ebe26ff9f3bbb24a98a0fb70eea4b6b18e5ab8f4081fa7887f72b493b573beeaexecutable
MD5:0431CCD4B676E65133279ED5DC951601
SHA256:EBE26FF9F3BBB24A98A0FB70EEA4B6B18E5AB8F4081FA7887F72B493B573BEEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info