analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Microsoft.Windows.Universal.CD.keygen.zip

Full analysis: https://app.any.run/tasks/6d542ac7-c02d-4ea0-8398-360265a41e3b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 09, 2020, 05:00:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
trojan
evasion
socelars
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

8F8FFC97DB5D6DF613B7E562FAE1F55E

SHA1:

0FE81860F9399D4D75DC36BDA3FA4FF6DD1F1200

SHA256:

A5ECB3F6E2267E81F4A8504FB293852867CFD90E51AA65BEEB2377E1124E40A2

SSDEEP:

393216:XPqig8DVts2KQNV4BL/qlmpXb6aiGVDSUH:u8DRVwLqlMXb6wRSUH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Microsoft.Windows.Universal.CD.keygen.exe (PID: 2204)
      • keygen-pr.exe (PID: 1840)
      • keygen-step-3.exe (PID: 1132)
      • whhw.exe (PID: 1028)
      • keygen-step-4.exe (PID: 3208)
      • id6.exe (PID: 668)
      • key.exe (PID: 1944)
      • key.exe (PID: 3028)
      • setup.upx.exe (PID: 2112)
      • Setup.exe (PID: 2892)
      • Setup.exe (PID: 1700)
      • hjjgaa.exe (PID: 2148)
      • searzar.exe (PID: 2212)
      • Install.exe (PID: 3500)
      • hjjgaa.exe (PID: 2956)
      • jfiag_gg.exe (PID: 1256)
      • Install.exe (PID: 1740)

    • Stealing of credential data

      • keygen-step-3.exe (PID: 1132)
      • setup.upx.exe (PID: 2112)
      • id6.exe (PID: 668)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2896)
      • cmd.exe (PID: 2532)

    • Actions looks like stealing of personal data

      • id6.exe (PID: 668)
      • keygen-step-4.exe (PID: 3208)
      • searzar.exe (PID: 2212)

    • Connects to CnC server

      • id6.exe (PID: 668)
      • searzar.exe (PID: 2212)

    • SOCELARS was detected

      • searzar.exe (PID: 2212)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3024)
      • Microsoft.Windows.Universal.CD.keygen.exe (PID: 2204)
      • keygen-pr.exe (PID: 1840)
      • keygen-step-4.exe (PID: 3208)
      • whhw.exe (PID: 1028)
      • Setup.exe (PID: 1700)
      • Setup.tmp (PID: 2672)
      • Setup.exe (PID: 2892)
      • hjjgaa.exe (PID: 2956)

    • Starts CMD.EXE for commands execution

      • Microsoft.Windows.Universal.CD.keygen.exe (PID: 2204)
      • keygen-step-3.exe (PID: 1132)
      • setup.upx.exe (PID: 2112)

    • Reads the cookies of Google Chrome

      • keygen-step-3.exe (PID: 1132)
      • setup.upx.exe (PID: 2112)
      • id6.exe (PID: 668)
      • searzar.exe (PID: 2212)
      • jfiag_gg.exe (PID: 1256)

    • Starts CMD.EXE for self-deleting

      • keygen-step-3.exe (PID: 1132)
      • setup.upx.exe (PID: 2112)

    • Application launched itself

      • key.exe (PID: 3028)
      • hjjgaa.exe (PID: 2148)

    • Reads the cookies of Mozilla Firefox

      • id6.exe (PID: 668)
      • searzar.exe (PID: 2212)

    • Reads Internet Cache Settings

      • id6.exe (PID: 668)
      • searzar.exe (PID: 2212)

    • Creates files in the user directory

      • id6.exe (PID: 668)

    • Reads the Windows organization settings

      • Setup.tmp (PID: 2672)

    • Reads Windows owner or organization settings

      • Setup.tmp (PID: 2672)

    • Checks for external IP

      • hjjgaa.exe (PID: 2956)

    • Creates a software uninstall entry

      • searzar.exe (PID: 2212)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • keygen-step-4.exe (PID: 3208)

    • Application was dropped or rewritten from another process

      • Setup.tmp (PID: 3972)
      • Setup.tmp (PID: 2672)

    • Creates a software uninstall entry

      • Setup.tmp (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: FILE_ID.DIZ
ZipUncompressedSize: 60
ZipCompressedSize: 60
ZipCRC: 0x7584dee9
ZipModifyDate: 2020:06:10 18:30:00
ZipCompression: None
ZipBitFlag: 0x0009
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
25
Malicious processes
13
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe microsoft.windows.universal.cd.keygen.exe cmd.exe no specs keygen-pr.exe keygen-step-3.exe keygen-step-4.exe cmd.exe no specs ping.exe no specs key.exe no specs whhw.exe key.exe no specs setup.upx.exe cmd.exe no specs ping.exe no specs id6.exe setup.exe setup.tmp no specs setup.exe setup.tmp #SOCELARS searzar.exe hjjgaa.exe no specs hjjgaa.exe install.exe no specs install.exe jfiag_gg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3024"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Microsoft.Windows.Universal.CD.keygen.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2204"C:\Users\admin\AppData\Local\Temp\Rar$EXb3024.6823\Microsoft.Windows.Universal.CD.keygen.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3024.6823\Microsoft.Windows.Universal.CD.keygen.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2016cmd /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen.bat" "C:\Windows\system32\cmd.exeMicrosoft.Windows.Universal.CD.keygen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1840keygen-pr.exe -p83fsase3GeC:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
1132keygen-step-3.exe C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3208keygen-step-4.exe C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
2532cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"C:\Windows\system32\cmd.exekeygen-step-3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1412ping 1.1.1.1 -n 1 -w 3000 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3028"C:\Users\admin\AppData\Local\Temp\RarSFX1\key.exe" C:\Users\admin\AppData\Local\Temp\RarSFX1\key.exekeygen-pr.exe
User:
admin
Integrity Level:
MEDIUM
1028"C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe" C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe
keygen-step-4.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 793
Read events
2 691
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
5
Text files
8
Unknown types
6

Dropped files

PID
Process
Filename
Type
1132keygen-step-3.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data1sqlite
MD5:B07445123C1156C138DBB2C09CA56381
SHA256:60EF4EEFAE5E163D3C38BBBF592B70453BE8C17D95537C84438DCA3DB7B150F5
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3024.6823\TSRh.nfotext
MD5:E8E26D6EE7E7770942CFAE596FB9E5F2
SHA256:0335411B86BF08BB3A731AED67FBAEDAB7B7324893D5B08965BB06E4B11ED669
3208keygen-step-4.exeC:\Users\admin\AppData\Local\Temp\RarSFX2\hjjgaa.exeexecutable
MD5:7016FF8FCB9D9451139D7A7541512597
SHA256:97D21BC11812933A88C45CEC4BEF20E346952FC4A4144C93B19A205D20420A57
3208keygen-step-4.exeC:\Users\admin\AppData\Local\Temp\RarSFX2\BTRSetp.exeexecutable
MD5:6331D170C7C2C06EA9ECF289987A8DB2
SHA256:B452A777118AD0153B13C0AA7D141C34F9F7C212D082998C071F69CE10F09234
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3024.6823\Microsoft.Windows.Universal.CD.keygen.exeexecutable
MD5:60B13C16B6048860C6A150EF504C8B88
SHA256:D0D0B21E803B48600C39C9AA54314A328B3B15113063A2EBFFC949DA1A38C390
2204Microsoft.Windows.Universal.CD.keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\user32.dllexecutable
MD5:634FBE95EA4EF2E799B3D117DD9EC52E
SHA256:1BA4BC4F000DD9263307357FFA42D83EB01F59BF28AEC16EF2EB74E24683412E
2204Microsoft.Windows.Universal.CD.keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeexecutable
MD5:20F5A9440A46ACD791F3E14A51168709
SHA256:838B3A60041CEF51E5E5EF385C9753D3526FCB0429C322374BB14D08512683A3
3208keygen-step-4.exeC:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exeexecutable
MD5:2FB5455DAB77DD4D793AAFA3DF21B013
SHA256:160785406249AAE0E5F2BD62DD5DAF64A15CE9BBB36C57A6F8F5C1DDB6390D9B
2204Microsoft.Windows.Universal.CD.keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeexecutable
MD5:2A9D718E6A8072F8749D5C070EF1C8B2
SHA256:7DB51629F4D689459FF38ADF32CE3F81E056FE2990D1783A1417DD8DF66AA98A
3208keygen-step-4.exeC:\Users\admin\AppData\Local\Temp\RarSFX2\fix11gold.exeexecutable
MD5:70479322993AD6BE02FA9A7669C444EB
SHA256:D38AC09E1E4A7F345A5F5786458E3EF3B3C54423B5DD873D8A335F098FA72312
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
668
id6.exe
POST
200
194.54.83.254:80
http://freekzvideo.cloud/business/receive
UA
malicious
2112
setup.upx.exe
POST
200
45.32.114.117:80
http://www.wdsfw34erf93.com/index.php/api/fb
SG
text
24 b
whitelisted
2212
searzar.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
1132
keygen-step-3.exe
POST
200
45.32.114.117:80
http://www.wdsfw34erf93.com/index.php/api/fb
SG
text
24 b
whitelisted
2212
searzar.exe
GET
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgObfHHgHlsa0R7fVL2Sj72S7g%3D%3D
unknown
der
527 b
whitelisted
2956
hjjgaa.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
text
289 b
shared
2212
searzar.exe
POST
200
38.27.96.30:80
http://www.nicekkk.pw/Home/Index/getdata
US
text
7 b
malicious
2212
searzar.exe
GET
200
149.28.244.249:80
http://www.ipcode.pw/
US
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
searzar.exe
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
2112
setup.upx.exe
45.32.114.117:80
www.wdsfw34erf93.com
Choopa, LLC
SG
malicious
2212
searzar.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
2212
searzar.exe
149.28.244.249:80
www.ipcode.pw
US
suspicious
668
id6.exe
194.54.83.254:80
freekzvideo.cloud
Omnilance Ltd
UA
malicious
1132
keygen-step-3.exe
45.32.114.117:80
www.wdsfw34erf93.com
Choopa, LLC
SG
malicious
2956
hjjgaa.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
2212
searzar.exe
38.27.96.30:80
www.nicekkk.pw
HOSTSPACE NETWORKS LLC
US
malicious

DNS requests

Domain
IP
Reputation
www.wdsfw34erf93.com
  • 45.32.114.117
whitelisted
freekzvideo.cloud
  • 194.54.83.254
malicious
www.ipcode.pw
  • 149.28.244.249
malicious
iplogger.org
  • 88.99.66.31
shared
isrg.trustid.ocsp.identrust.com
  • 2.16.186.11
  • 2.16.186.35
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.11
  • 2.16.186.27
whitelisted
www.nicekkk.pw
  • 38.27.96.30
malicious
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
668
id6.exe
A Network Trojan was detected
ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space
668
id6.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.cloud Domain
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
2212
searzar.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.pw domain
2212
searzar.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
2212
searzar.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
2956
hjjgaa.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2956
hjjgaa.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
7 ETPRO signatures available at the full report
Process
Message
id6.exe
006
id6.exe
http://freekzvideo.cloud/business/receive
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Microsoft.Windows.Universal.CD.keygen.zip