analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Downloads.7z

Full analysis: https://app.any.run/tasks/9e67257f-1197-43d1-9d0f-9162b2146baa
Verdict: Malicious activity
Analysis date: July 18, 2019, 11:14:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

AA2C76C0546EE537FE23ED26704BC8EB

SHA1:

CA94CB2E23A066E85AB96ADFB59320BE2C6E44DB

SHA256:

A43C4A9331086ACF6933CEEB8B7F0ED9B55DA24718F88C44332CDDDEFC8EEB69

SSDEEP:

98304:kHmtdgdu51Vo/fv3JkYivxVM43/4AY/4oy/PudoHsm90j5ZzSn7zCc:Dtdgd61Vo/KYivxVV4D/4o/dQLQ5ZzS1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • kms.exe (PID: 3932)
      • ikms.exe (PID: 2468)
      • win7oem.exe (PID: 2908)
      • mkms.exe (PID: 2364)
      • oem7.exe (PID: 2648)
    • Creates or modifies windows services

      • reg.exe (PID: 2728)
      • reg.exe (PID: 1696)
    • Loads dropped or rewritten executable

      • ikms.exe (PID: 2468)
      • svchost.exe (PID: 2948)
      • win7oem.exe (PID: 2908)
      • mkms.exe (PID: 2364)
      • svchost.exe (PID: 3388)
      • svchost.exe (PID: 2484)
      • svchost.exe (PID: 3928)
      • svchost.exe (PID: 4088)
    • Starts NET.EXE for service management

      • cmd.exe (PID: 2828)
      • cmd.exe (PID: 3012)
    • Changes settings of System certificates

      • svchost.exe (PID: 2948)
      • svchost.exe (PID: 3388)
      • svchost.exe (PID: 2484)
      • svchost.exe (PID: 3928)
      • svchost.exe (PID: 4088)
  • SUSPICIOUS

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3712)
      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 4092)
      • cmd.exe (PID: 3520)
      • cmd.exe (PID: 916)
      • cmd.exe (PID: 2636)
      • cmd.exe (PID: 1500)
      • cmd.exe (PID: 2940)
      • cmd.exe (PID: 2964)
      • cmd.exe (PID: 1036)
      • cmd.exe (PID: 2224)
      • cmd.exe (PID: 3012)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3712)
      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 4092)
      • cmd.exe (PID: 2224)
    • Starts CMD.EXE for commands execution

      • kms.exe (PID: 3932)
      • ikms.exe (PID: 2468)
      • svchost.exe (PID: 2948)
      • mkms.exe (PID: 2364)
      • cmd.exe (PID: 1836)
      • svchost.exe (PID: 3388)
      • cmd.exe (PID: 788)
      • oem7.exe (PID: 2648)
      • svchost.exe (PID: 2484)
      • svchost.exe (PID: 3928)
      • svchost.exe (PID: 4088)
    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 1344)
      • cmd.exe (PID: 3540)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3836)
      • kms.exe (PID: 3932)
      • ikms.exe (PID: 2468)
      • svchost.exe (PID: 2948)
      • win7oem.exe (PID: 2908)
      • mkms.exe (PID: 2364)
    • Creates files in the program directory

      • kms.exe (PID: 3932)
      • ikms.exe (PID: 2468)
      • svchost.exe (PID: 2948)
      • mkms.exe (PID: 2364)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1524)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2116)
      • cmd.exe (PID: 804)
    • Creates files in the Windows directory

      • svchost.exe (PID: 2948)
    • Creates files in the driver directory

      • svchost.exe (PID: 2948)
    • Starts itself from another location

      • win7oem.exe (PID: 2908)
    • Executes scripts

      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 2556)
      • cmd.exe (PID: 2640)
    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 1696)
      • cmd.exe (PID: 2492)
      • cmd.exe (PID: 900)
      • cmd.exe (PID: 3784)
  • INFO

    • Manual execution by user

      • kms.exe (PID: 3932)
      • win7oem.exe (PID: 2908)
    • Dropped object may contain Bitcoin addresses

      • svchost.exe (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

MPEG

MPEGAudioVersion: 2
AudioLayer: 3
AudioBitrate: 80 kbps
SampleRate: 16000
ChannelMode: Stereo
MSStereo: On
IntensityStereo: Off
CopyrightFlag:
OriginalMedia:
Emphasis: None

Composite

Duration: 0:08:33 (approx)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
224
Monitored processes
100
Malicious processes
7
Suspicious processes
7

Behavior graph

Click at the process to see the details
start drop and start winrar.exe kms.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs ping.exe no specs cmd.exe taskkill.exe no specs sc.exe no specs cmd.exe taskkill.exe no specs sc.exe no specs cmd.exe taskkill.exe no specs sc.exe no specs ikms.exe cmd.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs svchost.exe cmd.exe no specs ping.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs sc.exe no specs explorer.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs cscript.exe no specs win7oem.exe mkms.exe cmd.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs taskkill.exe no specs sc.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs taskkill.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs sc.exe no specs explorer.exe no specs oem7.exe no specs svchost.exe no specs cmd.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3836"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Downloads.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3932"C:\Users\admin\Desktop\kms.exe" C:\Users\admin\Desktop\kms.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
KmsGUI
Exit code:
1
Version:
1, 0, 0, 1
3160cmd.exe /c wmic os get caption /valueC:\Windows\system32\cmd.exekms.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3640wmic os get caption /valueC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3480cmd.exe /c ping 1.2.3.4 -n 1 1>nul 2>nul && echo yesC:\Windows\system32\cmd.exekms.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3108ping 1.2.3.4 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3712cmd.exe /c taskkill /fi "services eq vkms" /f && sc delete vkmsC:\Windows\system32\cmd.exe
kms.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1060
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2060taskkill /fi "services eq vkms" /f C:\Windows\system32\taskkill.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524sc delete vkmsC:\Windows\system32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3732cmd.exe /c taskkill /fi "services eq ukms" /f && sc delete ukmsC:\Windows\system32\cmd.exe
kms.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1060
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 257
Read events
1 211
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
3
Text files
1
Unknown types
5

Dropped files

PID
Process
Filename
Type
2468ikms.exeC:\Users\admin\AppData\Local\Temp\nsz25C5.tmp\SelfDel.dll
MD5:
SHA256:
2468ikms.exeC:\Users\admin\AppData\Local\Temp\nsz25B4.tmp
MD5:
SHA256:
2364mkms.exeC:\Program Files\Common Files\system\msadc\mkms.dat
MD5:
SHA256:
2364mkms.exeC:\Users\admin\AppData\Local\Temp\nsuA526.tmp\SelfDel.dll
MD5:
SHA256:
2364mkms.exeC:\Users\admin\AppData\Local\Temp\nsuA525.tmp
MD5:
SHA256:
2948svchost.exeC:\Program Files\Common Files\System\ado\SSL\VeriSign Root CA.cerder
MD5:0BE220D4427A8355641DA13F568ACF87
SHA256:2F479BADEF10E207FB507E92345C5A78DFD5E57B07ABCF3A4F2A9AC67D02FEC3
3836WinRAR.exeC:\Users\admin\Desktop\kms.exeexecutable
MD5:3318A8B7BC3F30DCF3E867D4393B9F44
SHA256:8D7A9F55572DDA35278C8EC23E4C76F1FE900E99BFBB82B2FD7166238CCB92A1
3932kms.exeC:\Program Files\Common Files\System\ikms.exeexecutable
MD5:275F76AFE331C0519B6000E376CD7F06
SHA256:5AC38E840FEFFC9062D006911C40617189254E685E636002E0012BA68AA6D885
3836WinRAR.exeC:\Users\admin\Desktop\win7oem.exeexecutable
MD5:0F647BC72C1958D7B0383C9F17DEE6DB
SHA256:1420BCF83F0AEEE6BD9E1DB5AF7FADC21B26C123AFC219DA32B52F1A6F756FB3
2948svchost.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.datbinary
MD5:D865EC3AA2C9E47D4EAC74BC0B2B5C22
SHA256:F31BA795670516F3D48B7CFA12D4A7A040E0E0567D8FD5616FC4FC04AE1A96BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
936
svchost.exe
45.32.71.123:443
m.360scloud.com
Choopa, LLC
US
unknown
3580
svchost.exe
45.32.71.123:443
m.360scloud.com
Choopa, LLC
US
unknown
2120
svchost.exe
45.32.71.123:443
m.360scloud.com
Choopa, LLC
US
unknown
3268
svchost.exe
45.32.71.123:443
m.360scloud.com
Choopa, LLC
US
unknown

DNS requests

Domain
IP
Reputation
i.wabudian.com
unknown
m.360scloud.com
  • 45.32.71.123
unknown

Threats

No threats detected
Process
Message
kms.exe
SMessageLoop::Run - exiting,code = 1