analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.zip

Full analysis: https://app.any.run/tasks/a493859b-ff63-432d-a137-b59b311f1a95
Verdict: Malicious activity
Analysis date: December 18, 2018, 20:15:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B650191C73449C540B1B6A5979188AA1

SHA1:

EB51C18E6AC37C41BF95218E2C7C2230AC8943D3

SHA256:

9DF9B6A6273ACDA6126CDF69A6F86CB631C7093360ADA4AABE01015B20736AE2

SSDEEP:

768:0MG+RChM11TmptpAVWrM/duEyje7c2A5OtgiQaDnRCZ4vX+miDQeiODS469rSj:0ARUuQsYje7criPnRC+X13ehyFSj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1224)
      • svchost.exe (PID: 844)
      • explorer.exe (PID: 116)

    • Renames files like Ransomware

      • explorer.exe (PID: 116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 116)

    • Creates files in the user directory

      • explorer.exe (PID: 116)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 116)

  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 116)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 884)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:12:18 21:11:15
ZipCRC: 0x7f85132d
ZipCompressedSize: 44808
ZipUncompressedSize: 82435
ZipFileName: samples/0f2ee8f0e463a4e5ac54ba0d9d5960cd
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs svchost.exe explorer.exe searchprotocolhost.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
844C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1224"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
884"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\0f2ee8f0e463a4e5ac54ba0d9d5960cd.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
4 231
Read events
4 176
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
7

Dropped files

PID
Process
Filename
Type
2820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2820.17099\samples\0f2ee8f0e463a4e5ac54ba0d9d5960cd
MD5:
SHA256:
884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR547A.tmp.cvr
MD5:
SHA256:
884WINWORD.EXEC:\Users\admin\Desktop\~$2ee8f0e463a4e5ac54ba0d9d5960cd.docpgc
MD5:72004BBC98FE2ABA80D395E0010C5631
SHA256:7AB20D0F562EB8C061EEDFE75631CF811B87E28CD290485449A7A8530A06D375
116explorer.exeC:\Users\admin\Desktop\0f2ee8f0e463a4e5ac54ba0d9d5960cdexecutable
MD5:0F2EE8F0E463A4E5AC54BA0D9D5960CD
SHA256:7D3B4787D1B55676043ACDD07147DA47380E8C144861C3A0349D82C1BB83D345
116explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018121820181219\index.datdat
MD5:493DC22CFFE16C25E0DAD8125B7A389E
SHA256:342AEB8D565DB88811A9428677E515D610DAB3BCD326AB1186FAF8F27E6E4157
844svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:F21900C7A25F863C30D1D846EA91370B
SHA256:19E89AC099570546B4FB964A14D5E70B72AB17B892739FFE1A6111AD8404641F
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\0f2ee8f0e463a4e5ac54ba0d9d5960cd.doc.lnklnk
MD5:41167B88E4BAF650EA30A8C9A96EDB38
SHA256:2ED63E1A620BE04DDA3A6C303FA893D5A0EB7E2ED3B976E106CD51D6C4EC90A6
116explorer.exeC:\Users\admin\Desktop\0f2ee8f0e463a4e5ac54ba0d9d5960cd.docexecutable
MD5:0F2EE8F0E463A4E5AC54BA0D9D5960CD
SHA256:7D3B4787D1B55676043ACDD07147DA47380E8C144861C3A0349D82C1BB83D345
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:C2676CFB35180CD7A33938C1EE21FB6C
SHA256:6CA81FD3AC2ED50B86F1AC3CDF4253F2EE820266673E031C23ABD2AA03BB1020
116explorer.exeC:\Users\admin\Desktop\0f2ee8f0e463a4e5ac54ba0d9d5960cd.exeexecutable
MD5:0F2EE8F0E463A4E5AC54BA0D9D5960CD
SHA256:7D3B4787D1B55676043ACDD07147DA47380E8C144861C3A0349D82C1BB83D345
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.zip