analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | f9e86e9def39a3d16be40a5e63e303e4-content.zip |
| Full analysis: | https://app.any.run/tasks/ed1dfd69-4fee-4158-b94a-e2e54f49219c |
| Verdict: | Malicious activity |
| Analysis date: | January 18, 2019, 08:26:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | AB30992E0C61FC223A6BFE42D85121DE |
| SHA1: | CECE8531697D6C296E2900D2F199B2C6B63EEB40 |
| SHA256: | 9DF63A56F751B955E95C6F42C097772B2AFA5B0EAFAD9DB9F3F1C0059C57C5FD |
| SSDEEP: | 24576:dlDXkGg9h9Fj8a0V6XvQiqt6hKy4Gt5pTV3oSGP1BMopws6ebljomTVc45kAmWx4:b8FDK6fCUJbRTZoSGP1fpDRblj5xc48L |
MALICIOUS
Application was dropped or rewritten from another process
- SETUP.EXE (PID: 2888)
- SETUP.EXE (PID: 2240)
- setup1.exe (PID: 1216)
- SETUP.EXE (PID: 3904)
- SETUP.EXE (PID: 2776)
- setup1.exe (PID: 3112)
Loads dropped or rewritten executable
- SETUP.EXE (PID: 2776)
SUSPICIOUS
Creates files in the Windows directory
- SETUP.EXE (PID: 2240)
- SETUP.EXE (PID: 2776)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2732)
- SETUP.EXE (PID: 2240)
- SETUP.EXE (PID: 2776)
Creates files in the program directory
- SETUP.EXE (PID: 2240)
- SETUP.EXE (PID: 2776)
Removes files from Windows directory
- SETUP.EXE (PID: 2776)
- SETUP.EXE (PID: 2240)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (66.6) |
|---|---|---|
| .zip | | | ZIP compressed archive (33.3) |
EXIF
ZIP
| ZipFileName: | IVA-v503_R0-INSTALL.zip.zs |
|---|---|
| ZipUncompressedSize: | 1379272 |
| ZipCompressedSize: | 1376232 |
| ZipCRC: | 0x8486e3d0 |
| ZipModifyDate: | 2019:01:17 18:08:18 |
| ZipCompression: | Deflated |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 20 |
Total processes
46
Monitored processes
8
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3492 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f9e86e9def39a3d16be40a5e63e303e4-content.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 2732 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\IVA-v503_R0-INSTALL.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 2888 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\SETUP.EXE" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\SETUP.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Instalación de Bootstrap para Visual Basic Setup Toolkit Exit code: 3221226540 Version: 5.00.3716 | ||||
| 2240 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\SETUP.EXE" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\SETUP.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Instalación de Bootstrap para Visual Basic Setup Toolkit Exit code: 0 Version: 5.00.3716 | ||||
| 1216 | C:\Windows\setup1.exe "C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\" "C:\Windows\ST5UNST.000" "C:\Windows\ST5UNST.EXE" | C:\Windows\setup1.exe | — | SETUP.EXE |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic 5.0 Setup Toolkit Exit code: 3221225781 Version: 5.00.3716 | ||||
| 3904 | "C:\Users\admin\Desktop\SETUP.EXE" | C:\Users\admin\Desktop\SETUP.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Instalación de Bootstrap para Visual Basic Setup Toolkit Exit code: 3221226540 Version: 5.00.3716 | ||||
| 2776 | "C:\Users\admin\Desktop\SETUP.EXE" | C:\Users\admin\Desktop\SETUP.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Instalación de Bootstrap para Visual Basic Setup Toolkit Exit code: 0 Version: 5.00.3716 | ||||
| 3112 | C:\Windows\setup1.exe "C:\Users\admin\Desktop\" "C:\Windows\ST5UNST.001" "C:\Windows\ST5UNST.EXE" | C:\Windows\setup1.exe | — | SETUP.EXE |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic 5.0 Setup Toolkit Exit code: 3221225781 Version: 5.00.3716 | ||||
Total events
1 234
Read events
1 177
Write events
0
Delete events
0
Modification events
Executable files
6
Suspicious files
0
Text files
37
Unknown types
33
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3492 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3492.3142\IVA-v503_R0-INSTALL.zip.zs | — | |
MD5:— | SHA256:— | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\IVA.CN_ | ex_ | |
MD5:BC531FDB4CB612CCBE65F6CB531045D1 | SHA256:782A2B0372131ED253AAFAFA3E7028ED8BCE6AF385F4EC77F0C084D952EB6522 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\RPT1.RP_ | ex_ | |
MD5:FCA94043D280930722A7B90B7B0E4C80 | SHA256:25B89FD90A0B6791918A64D49E4A4A89F38BA8DF1CABBD141B1F06DBF30E1962 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\FIMP.RP_ | ex_ | |
MD5:C27F296704AF4CB3E7DDB6337F6F09DE | SHA256:38B1C1136525D979A7E8BFB534922D01853A27D84CA7F63806D3ADE860916004 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\rpfrm.rp_ | ex_ | |
MD5:820DF61CB9A878B04D773220FAF0A369 | SHA256:868FD4B284440CDF193E672DE9EA1B785B31F81DC9F2BBFFDA9B4AC4923A68BA | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\RPFRM810.RP_ | ex_ | |
MD5:E73709566C8E023532B291662606C768 | SHA256:4026D8EF4A141E5C15CE6B62F6251FB6EA48D667C66FC6956E3193BE384A68F3 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\RPTCBE.RP_ | ex_ | |
MD5:0797579655569DFEF489CA766AB225BF | SHA256:EC3FEA0F84D20AE5B4FCE181BA75CE2C93530724DC40825E55DF7744347D2711 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\RPTCOM.RP_ | ex_ | |
MD5:2C89EE7F1F19038036919C20A0EE4FDF | SHA256:920D4F2D76392490760351095CEE9BFC90C96F00CD2D229723B9C0514DE07439 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\RPTCSPAC.RP_ | ex_ | |
MD5:76D93ECAE56F00B06CD5E4ED7602700D | SHA256:0AFD97A11D8FB27E14B14BE87BE9879A5EC8A5C64AE7A598BCFFDC117BFE0A17 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2732.5675\Iva.ex_ | ex_ | |
MD5:C4BA9E518871018FCC3EBF80E43912CD | SHA256:CBAA64B37300CEEC32DC847FBD55136483A4C04CC1D61C623E9B1B2D1AD822CF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report