analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

test1.zip

Full analysis: https://app.any.run/tasks/89b216b9-895e-4efe-9809-3f6f902e5b25
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 23:14:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trickbot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract
MD5:

634F3AFF60F49E0E70C3BF7A8732BBF5

SHA1:

9546999EF57B133D3047D2A941E60FDDD6873984

SHA256:

ADEEBFE44F1EF737FB8BD8ABDB25C0FECF9D4CD86A597534FF4C5BB243DA362D

SSDEEP:

6144:E6E3tggdqvtKYRL5Q5qB6TggO5Mcj6Idrh++cGeIZWRvXG0V7u1gMs:E6yFe5cI6jOuclE+cgmPGmH9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 59346383.exe (PID: 408)
      • 59346383.exe (PID: 1724)
      • 39324383.exe (PID: 2908)

    • Known privilege escalation attack

      • DllHost.exe (PID: 2344)

    • Loads the Task Scheduler COM API

      • 59346383.exe (PID: 408)
      • 39324383.exe (PID: 2908)

    • TRICKBOT was detected

      • 59346383.exe (PID: 408)
      • 39324383.exe (PID: 2908)

  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 2344)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1752)
      • 59346383.exe (PID: 408)

    • Creates files in the user directory

      • 59346383.exe (PID: 408)
      • 39324383.exe (PID: 2908)

    • Executed via Task Scheduler

      • 39324383.exe (PID: 2908)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 2140)
      • AcroRd32.exe (PID: 1784)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2140)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2140)

    • Application launched itself

      • AcroRd32.exe (PID: 1784)
      • RdrCEF.exe (PID: 3408)

    • Reads the hosts file

      • RdrCEF.exe (PID: 3408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0801
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x39220635
ZipCompressedSize: 287382
ZipUncompressedSize: 462288
ZipFileName: Device/HarddiskVolume3/Users/hermell/AppData/Local/Temp/59346383.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe 59346383.exe no specs CMSTPLUA no specs #TRICKBOT 59346383.exe winword.exe no specs #TRICKBOT 39324383.exe acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test1.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1724"C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2344C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
408"C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe
DllHost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2140"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\respectivewords.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2908C:\Users\admin\AppData\Roaming\WinNetCore\39324383.exe C:\Users\admin\AppData\Roaming\WinNetCore\39324383.exe
taskeng.exe
User:
SYSTEM
Integrity Level:
SYSTEM
1784"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3304"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=rendererC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3408"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
1188"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3408.0.524815997\476436060" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
Total events
1 694
Read events
1 324
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2140WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAB49.tmp.cvr
MD5:
SHA256:
2140WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{90512652-8747-4905-AC02-E6CC89EF6D8B}.tmp
MD5:
SHA256:
2140WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB404F54-B6AB-4219-8385-F70BAEDC0F78}.tmp
MD5:
SHA256:
2140WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{47417411-CFF5-4BD4-BF3F-87B0FC7240FF}.tmp
MD5:
SHA256:
1752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\manifest.jsontext
MD5:7F83698730B6D5D895DA2AEB1A871406
SHA256:47290C4DF41FDAA09FE3EECD7F2A4A47DDD65F8630AE58AEDEC1D25B7A99F801
2140WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:471342A14E3DAB132C25552D50679A7C
SHA256:CAAF26CB16ED62FF12F8DC1BE99D201309D28A9B26A63C01A2544CDEAA8AA4DA
2140WINWORD.EXEC:\Users\admin\Desktop\~$spectivewords.rtfpgc
MD5:70EF7105FE3C484F5D4FD6535A4E5E52
SHA256:54C9D8E39C55A445B4973AFBA57C14521614B4E1664B0A0759337856C96551D7
1752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exeexecutable
MD5:699CEBD527F0373DC20699640E690979
SHA256:7FE1EDC657E804A7B1970C69F85D921E8C665E6935786267DD14DCA481951E73
2140WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\respectivewords.rtf.LNKlnk
MD5:01B71C190FA484417DF92FFB1B84D030
SHA256:BD0BB36E113EA4644C8F3B9C6EC59080A1A4840222F42CCA593A5997255D7A01
3304AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.datbinary
MD5:E724D72264DA270D3DA2293F7579F7CC
SHA256:3516E878C6EF18D6D7DF8F3D01B63D7E7E87C865D822F62358B96C0576456975
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2908
39324383.exe
5.182.210.246:443
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
test1.zip