analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 000.zip |
| Full analysis: | https://app.any.run/tasks/79ee41d7-dd90-4867-a953-c805b512c918 |
| Verdict: | Malicious activity |
| Analysis date: | November 30, 2020, 02:39:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | D113BD83E59586DD8F1843BDB9B98EE0 |
| SHA1: | 6C203D91D5184DADE63DBAB8AECBDFAA8A5402AB |
| SHA256: | 9D3FE04D88C401178165F7FBDF307AC0FB690CC5FEF8B70EE7F380307D4748F8 |
| SSDEEP: | 3072:QxpL6ECUOVjuZ6HwZ3KMh8N73lLrKG+PE9g4CN33:2961UwjuDZn65nxIE9y33 |
MALICIOUS
Task Manager has been disabled (taskmgr)
- [email protected] (PID: 2944)
Changes the login/logoff helper path in the registry
- [email protected] (PID: 2944)
Drops executable file immediately after starts
- [email protected] (PID: 2944)
Application was dropped or rewritten from another process
- [email protected] (PID: 2844)
- [email protected] (PID: 2944)
Writes to a start menu file
- cmd.exe (PID: 2232)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1136)
- [email protected] (PID: 2944)
- cmd.exe (PID: 2232)
Drops a file that was compiled in debug mode
- WinRAR.exe (PID: 1136)
Changes the desktop background image
- [email protected] (PID: 2944)
Starts CMD.EXE for commands execution
- [email protected] (PID: 2944)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 2232)
Creates files in the program directory
- cmd.exe (PID: 2232)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2016:09:22 06:02:06 |
| ZipCRC: | 0x80f327a6 |
| ZipCompressedSize: | 122485 |
| ZipUncompressedSize: | 6983680 |
| ZipFileName: | [email protected] |
Total processes
49
Monitored processes
9
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1136 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\000.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 2844 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1136.33874\[email protected]" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1136.33874\[email protected] | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: 000 Exit code: 3221226540 Version: 0.0.0.0 | ||||
| 2944 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1136.33874\[email protected]" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1136.33874\[email protected] | WinRAR.exe | |
User: admin Integrity Level: HIGH Description: 000 Version: 0.0.0.0 | ||||
| 2232 | cmd /c ""C:\Users\admin\AppData\Local\Temp\windl.bat"" | C:\Windows\system32\cmd.exe | [email protected] | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2948 | taskkill /f /im explorer.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3172 | taskkill /f /im taskmgr.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 1252 | wmic useraccount where name='admin' set FullName='UR NEXT' | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 4076 | wmic useraccount where name='admin' rename 'UR NEXT' | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3360 | shutdown /f /r /t 0 | C:\Windows\system32\shutdown.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Shutdown and Annotation Tool Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
885
Read events
846
Write events
0
Delete events
0
Modification events
Executable files
3
Suspicious files
0
Text files
380
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2944 | [email protected] | C:\Users\admin\AppData\Local\Temp\one.rtf | text | |
MD5:6FBD6CE25307749D6E0A66EBBC0264E7 | SHA256:E152B106733D9263D3CF175F0B6197880D70ACB753F8BDE8035A3E4865B31690 | |||
| 2944 | [email protected] | C:\Users\admin\AppData\Local\Temp\text.txt | text | |
MD5:9037EBF0A18A1C17537832BC73739109 | SHA256:38C889B5D7BDCB79BBCB55554C520A9CE74B5BFC29C19D1E4CB1419176C99F48 | |||
| 2232 | cmd.exe | C:\Users\admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt | text | |
MD5:9037EBF0A18A1C17537832BC73739109 | SHA256:38C889B5D7BDCB79BBCB55554C520A9CE74B5BFC29C19D1E4CB1419176C99F48 | |||
| 2232 | cmd.exe | C:\Users\admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N10XT.txt | text | |
MD5:9037EBF0A18A1C17537832BC73739109 | SHA256:38C889B5D7BDCB79BBCB55554C520A9CE74B5BFC29C19D1E4CB1419176C99F48 | |||
| 1136 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1136.33874\[email protected] | executable | |
MD5:F2B7074E1543720A9A98FDA660E02688 | SHA256:4EA1F2ECF7EB12896F2CBF8683DAE8546D2B8DC43CF7710D68CE99E127C0A966 | |||
| 2232 | cmd.exe | C:\Users\admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N2XT.txt | text | |
MD5:9037EBF0A18A1C17537832BC73739109 | SHA256:38C889B5D7BDCB79BBCB55554C520A9CE74B5BFC29C19D1E4CB1419176C99F48 | |||
| 2944 | [email protected] | C:\Users\admin\AppData\Local\Temp\rniw.exe | executable | |
MD5:9232120B6FF11D48A90069B25AA30ABC | SHA256:70FAA0E1498461731F873D3594F20CBF2BEAA6F123A06B66F9DF59A9CDF862BE | |||
| 2232 | cmd.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\rniw.exe | executable | |
MD5:9232120B6FF11D48A90069B25AA30ABC | SHA256:70FAA0E1498461731F873D3594F20CBF2BEAA6F123A06B66F9DF59A9CDF862BE | |||
| 2232 | cmd.exe | C:\Users\admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N0XT.txt | text | |
MD5:9037EBF0A18A1C17537832BC73739109 | SHA256:38C889B5D7BDCB79BBCB55554C520A9CE74B5BFC29C19D1E4CB1419176C99F48 | |||
| 2944 | [email protected] | C:\Users\admin\AppData\Local\Temp\icon.ico | image | |
MD5:A4B9662CF3B6EA6626F6081C0D8C13F3 | SHA256:84A1C2713642090523F05D9FB015C537FD210D3200CADAF442BB67CF1834B356 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report