analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

what is long stop date in a contract(50123).zip

Full analysis: https://app.any.run/tasks/198502ef-f4b4-4f3b-8fba-b7cb477865d6
Verdict: Malicious activity
Analysis date: May 21, 2022, 03:46:57
OS: Windows 10 Professional (build: 16299, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

631F5FD55CACB7D31FE915D35A9FD657

SHA1:

9E6DE102E3D63BBC42EAF2B414601A9C5A981EF4

SHA256:

AB9A1B589EF81C2855D16F3B63DDDDD90D05D2DFD8CF2EEE79BD11B3330CEBE9

SSDEEP:

1536:bZnxS4G8k2PL9646ivJzvQ1fvf/gO/T+iyqcpqhUocwdC0SNSu9dT+D0Ln0:bRxS4M2PhJtvCfvf/gk+qiswSuDT+m0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks supported languages

      • SDXHelper.exe (PID: 304)
      • WinRAR.exe (PID: 3968)
      • WScript.exe (PID: 960)
      • notepad++.exe (PID: 1604)
      • gup.exe (PID: 1360)
      • WinRAR.exe (PID: 972)
      • conhost.exe (PID: 404)
      • powershell.exe (PID: 304)
      • WinRAR.exe (PID: 1312)
      • notepad++.exe (PID: 2568)

    • Reads the computer name

      • SDXHelper.exe (PID: 304)
      • WinRAR.exe (PID: 3968)
      • WScript.exe (PID: 960)
      • gup.exe (PID: 1360)
      • notepad++.exe (PID: 1604)
      • WinRAR.exe (PID: 972)
      • conhost.exe (PID: 404)
      • powershell.exe (PID: 304)
      • WinRAR.exe (PID: 1312)
      • notepad++.exe (PID: 2568)

    • Executed via COM

      • SDXHelper.exe (PID: 304)
      • rundll32.exe (PID: 3776)

    • Reads CPU info

      • SDXHelper.exe (PID: 304)

    • Creates files in the user directory

      • notepad++.exe (PID: 1604)
      • powershell.exe (PID: 304)

    • Reads the date of Windows installation

      • taskmgr.exe (PID: 260)
      • powershell.exe (PID: 304)

    • Executes PowerShell scripts

      • WinRAR.exe (PID: 972)

  • INFO

    • Reads settings of System Certificates

      • SDXHelper.exe (PID: 304)
      • WScript.exe (PID: 960)
      • powershell.exe (PID: 304)

    • Manual execution by user

      • WScript.exe (PID: 960)
      • notepad++.exe (PID: 1604)
      • taskmgr.exe (PID: 260)
      • taskmgr.exe (PID: 2884)
      • WinRAR.exe (PID: 972)
      • WinRAR.exe (PID: 1312)
      • notepad++.exe (PID: 2568)

    • Reads the software policy settings

      • SDXHelper.exe (PID: 304)
      • WScript.exe (PID: 960)
      • powershell.exe (PID: 304)

    • Checks Windows Trust Settings

      • WScript.exe (PID: 960)
      • powershell.exe (PID: 304)

    • Reads the computer name

      • taskmgr.exe (PID: 260)

    • Checks supported languages

      • taskmgr.exe (PID: 260)

    • Reads Microsoft Office registry keys

      • powershell.exe (PID: 304)
      • SDXHelper.exe (PID: 304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: what_is_long_stop_date_in_a_contract 91856.js
ZipUncompressedSize: 293211
ZipCompressedSize: 87634
ZipCRC: 0x80ff9c5c
ZipModifyDate: 2022:05:20 20:47:00
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
13
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe no specs sdxhelper.exe wscript.exe rundll32.exe no specs notepad++.exe gup.exe taskmgr.exe no specs taskmgr.exe winrar.exe no specs powershell.exe no specs conhost.exe winrar.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
3968"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\what is long stop date in a contract(50123).zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
304"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\SDXHelper.exe" -EmbeddingC:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\SDXHelper.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office SDX Helper
Exit code:
0
Version:
16.0.11929.20300
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\root\vfs\programfilescommonx86\microsoft shared\office16\sdxhelper.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems32.dll
c:\windows\system32\msvcp140.dll
960"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\what_is_long_stop_date_in_a_contract 91856.js" C:\Windows\System32\WScript.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\wscript.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
3776C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\WINDOWS\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1604"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\c6dda813-2a3c-46e2-9c8d-690353cd516f.ps1"C:\Program Files\Notepad++\notepad++.exe
Explorer.EXE
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.125_none_5d79065fa7de350f\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
1360"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Modules
Images
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.125_none_5d79065fa7de350f\comctl32.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2884"C:\WINDOWS\system32\taskmgr.exe" /4C:\WINDOWS\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\taskmgr.exe
260"C:\WINDOWS\system32\taskmgr.exe" /4C:\WINDOWS\system32\taskmgr.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\taskmgr.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
972"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\c6dda813-2a3c-46e2-9c8d-690353cd516f.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\comdlg32.dll
304"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\admin\AppData\Local\Temp\Rar$DIa972.46921\c6dda813-2a3c-46e2-9c8d-690353cd516f.ps1'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
Total events
36 604
Read events
34 712
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
245
Text files
756
Unknown types
26

Dropped files

PID
Process
Filename
Type
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\3cdc9d5f248d6d7506214ff391c8c3\Package.appxcompressed
MD5:318E7DDAE132EF0EED81FA934ED76D7A
SHA256:96B27DDAFCF88A7F6F929FB48321C6CD9D3843591B7245927BD71359BDB8AC49
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\9b0eba726102ef75983c6ce565f95c22\Package.appxcompressed
MD5:123ED3786AD7F96824CB946F5469D58E
SHA256:E50B163C79E1F67FB38ABCDB5135C69E5C7547E81308BC00618DA8049408F9E4
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\45cfa0ff7e2dbd7b6089b3990c58a2ad\Package.appxcompressed
MD5:DFC97B74237F7D2BAA44543D36CFFC71
SHA256:AEA53FADB383FCD22F321E5B9297267CD5089A20E8BD47FD9D5D2BEE96417BFA
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\297d816682165b8eee0b3371d74a59d8\Package.appxcompressed
MD5:D8BFA7A44A5D848745AB40985F41A83E
SHA256:1ECE78D0E5DCFAB60C9DDB9233853B2D92078A13EE0CEEB8DDE2A252A6AC482E
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\a20c7ca10684ad15f9df10646379679c\Package.appxcompressed
MD5:378E4DB2989AD5C633AB7CBB40AE43EA
SHA256:7EB24CAB9687CA6B652C5A17062BB9DC35FF8AE571A784BBB4A02933D69BA067
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\d226ad8293cd11d5fb2ac743a0d861a4\Package.appxcompressed
MD5:5435D6C595BA7750DD573AD9D0F06AE6
SHA256:E2BCE5B0ABDB77D04CA64AC3C5AE50E2CC5EC383106956151ED81FC0DFF9AE42
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\819fb485a17719be1a6514b0586bad55\Package.appxcompressed
MD5:A510CF15CB6AB0A6C452EE2D0DF6794D
SHA256:3B71840F3278DDC205C79F0A0E38416F8EFD5F4EBDD8C2B3D4E6BF13C59C1AA2
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\590b7ea04daf428bf1a2a504bd30e016\Package.appxcompressed
MD5:BD2EBD75F83634C7C573D46E6F95A6E1
SHA256:0F56E88AFB6D2176DA1728BBCC95FF109468CF3FD78B1BD011D1A0CA3FA447C4
304SDXHelper.exeC:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\e6ec30329225bb49c9a13ed193ce8f50\Package.appxcompressed
MD5:7829E26912654FC92D7FE138FA6F7B29
SHA256:B5FCF0AEE1028675BC9A53839E4338B80D05A67362C666E802739C9789FB5CDD
3968WinRAR.exeC:\Users\admin\Desktop\what_is_long_stop_date_in_a_contract 91856.jstext
MD5:5DB63C2212BBC183776A05A9034BE0D8
SHA256:D210C860E33449C17500D6E023ADB209E15F41F81C5B1C31290C805AAF10BC9A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
30
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1244
lsass.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1436
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1436
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
304
SDXHelper.exe
13.107.42.16:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
3816
sdxhelper.exe
52.109.12.18:443
nexusrules.officeapps.live.com
Microsoft Corporation
US
whitelisted
3816
sdxhelper.exe
13.107.42.16:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
304
SDXHelper.exe
52.109.12.18:443
nexusrules.officeapps.live.com
Microsoft Corporation
US
whitelisted
1456
svchost.exe
52.152.110.14:443
sls.update.microsoft.com
Microsoft Corporation
US
whitelisted
304
SDXHelper.exe
20.126.153.54:443
mrodevicemgr.officeapps.live.com
US
suspicious
1436
svchost.exe
40.126.32.136:443
Microsoft Corporation
US
suspicious
304
SDXHelper.exe
52.109.32.63:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
3816
sdxhelper.exe
52.109.32.63:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.32.63
whitelisted
nexusrules.officeapps.live.com
  • 52.109.12.18
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
sls.update.microsoft.com
  • 52.152.110.14
whitelisted
self.events.data.microsoft.com
  • 20.189.173.6
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
mrodevicemgr.officeapps.live.com
  • 20.126.153.54
whitelisted
officecdn.microsoft.com
  • 2.22.32.65
whitelisted
www.lintelconsulting.co.uk
  • 46.235.226.209
unknown
www.labbunnies.eu
  • 195.113.57.133
unknown

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
what is long stop date in a contract(50123).zip