File name:

TelnetONU1.2.5b.zip

Full analysis: https://app.any.run/tasks/5ba5d1d6-5925-4d22-a69b-cb3d9d872da5
Verdict: Malicious activity
Analysis date: May 04, 2021, 10:41:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D0ED974448F23325CB531251F320BDFF

SHA1:

3B8AA5A279877F5135310D379685358CBBDDBD72

SHA256:

AFFBBE6AA6445BBF95E5D501A533A9BEDD3C231F879AF590D9FB6C8FB8A06EDD

SSDEEP:

12288:LuiVFrDQgl/6N6ydTGLVHuW9tlYyM8RrLMuUintRooKX6usf:LXv/ypUOW9smRrIlWhBJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TelnetONU.exe (PID: 1596)
      • TelnetONU.exe (PID: 2760)
      • getinfo.exe (PID: 3408)
      • factorymode.exe (PID: 3164)
      • decrypt.exe (PID: 1972)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4088)

    • Starts CMD.EXE for commands execution

      • TelnetONU.exe (PID: 2760)

  • INFO

    • Manual execution by user

      • TelnetONU.exe (PID: 1596)
      • TelnetONU.exe (PID: 2760)
      • getinfo.exe (PID: 3408)
      • factorymode.exe (PID: 3164)
      • decrypt.exe (PID: 1972)
      • NOTEPAD.EXE (PID: 3056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: TelnetONU1.2.5b/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2021:04:28 10:34:14
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
11
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe telnetonu.exe no specs telnetonu.exe cmd.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs getinfo.exe no specs factorymode.exe no specs decrypt.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1596"C:\Users\admin\Desktop\TelnetONU1.2.5b\TelnetONU.exe" C:\Users\admin\Desktop\TelnetONU1.2.5b\TelnetONU.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TelnetONU
Exit code:
3221226540
Version:
1,2,5
Modules
Images
c:\users\admin\desktop\telnetonu1.2.5b\telnetonu.exe
c:\systemroot\system32\ntdll.dll
1724cmd /c mkdir logC:\Windows\system32\cmd.exeTelnetONU.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1972"C:\Users\admin\Desktop\TelnetONU1.2.5b\decrypt.exe" C:\Users\admin\Desktop\TelnetONU1.2.5b\decrypt.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\telnetonu1.2.5b\decrypt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2268cmd /c ping 192.168.1.1 -n 1 -l 128C:\Windows\system32\cmd.exeTelnetONU.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2468cmd /c del userpass.txtC:\Windows\system32\cmd.exeTelnetONU.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2760"C:\Users\admin\Desktop\TelnetONU1.2.5b\TelnetONU.exe" C:\Users\admin\Desktop\TelnetONU1.2.5b\TelnetONU.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TelnetONU
Exit code:
0
Version:
1,2,5
Modules
Images
c:\users\admin\desktop\telnetonu1.2.5b\telnetonu.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mfc42.dll
3056"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\TelnetONU1.2.5b\Cmd_Onu.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3164"C:\Users\admin\Desktop\TelnetONU1.2.5b\factorymode.exe" C:\Users\admin\Desktop\TelnetONU1.2.5b\factorymode.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\telnetonu1.2.5b\factorymode.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\user32.dll
3408"C:\Users\admin\Desktop\TelnetONU1.2.5b\getinfo.exe" C:\Users\admin\Desktop\TelnetONU1.2.5b\getinfo.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
getinfo Microsoft 基础类应用程序
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\telnetonu1.2.5b\getinfo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
3580ping 192.168.1.1 -n 1 -l 128C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
927
Read events
878
Write events
47
Delete events
2

Modification events

(PID) Process:(4088) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4088) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4088) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4088) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(4088) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\TelnetONU1.2.5b.zip
(PID) Process:(4088) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4088) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4088) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4088) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4088) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
8
Suspicious files
3
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\TelnetONU1.2.5b\TelnetONU1.2.5b\TelnetONU1.2.5b\date.dlltext
MD5:CE930843B8DB4E0E69C1952A9919D945
SHA256:45CD2816B7F9CCEE5F9E4CD237ACE4912B476227876105D24FA91DD4FBD29C41
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\TelnetONU1.2.5b\TelnetONU1.2.5b\TelnetONU1.2.5b\TelnetONU--Usage Description of the ONU One-key Information Collection Tool R1.4.docxcompressed
MD5:2D75636822466BB21F8278ADD2838698
SHA256:AE637C8F8A1DB743D4C1688606A328F22EBBF77ED51E7417BB3B4372F50BB528
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\TelnetONU1.2.5b\TelnetONU1.2.5b\TelnetONU1.2.5b\factorymode.exeexecutable
MD5:D6544A7CD742A7BB37A7222E83FD9306
SHA256:6D75E5AA07A666E88DD45BEF12CED490AC89CF07FC3D7E03DECA3118E685788C
3408getinfo.exeC:\Users\admin\Desktop\TelnetONU1.2.5b\USER-PC.icrbinary
MD5:
SHA256:
2760TelnetONU.exeC:\Users\admin\Desktop\TelnetONU1.2.5b\log\CmdLog-20210504114209.txttext
MD5:
SHA256:
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\TelnetONU1.2.5b\TelnetONU1.2.5b\TelnetONU1.2.5b\Cmd_Onu.txttext
MD5:1ADF01A5989482B9B4C7B5B1FAB42EFE
SHA256:9F16C34715995F2E89A79A5DC80450C7349A1543580EE2BC8B8715BA4353C87C
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\TelnetONU1.2.5b\TelnetONU1.2.5b\TelnetONU1.2.5b\decrypt.exeexecutable
MD5:252D0EEF5A1E7CEF6E789C488D1913E8
SHA256:D9E46A77A566B511FB154327637DA91546086E34E02BA41C82B1F86C6746BEB6
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4088.22739\TelnetONU1.2.5b\TelnetONU1.2.5b\decrypt.exeexecutable
MD5:252D0EEF5A1E7CEF6E789C488D1913E8
SHA256:D9E46A77A566B511FB154327637DA91546086E34E02BA41C82B1F86C6746BEB6
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4088.22739\TelnetONU1.2.5b\TelnetONU1.2.5b\getinfo.exeexecutable
MD5:E0B9BFFDF3EF93A1F7EF1AA5FCCED208
SHA256:1409ECA475CB5FE7007D7A270C01CD7501CE42C2150C9390ECD9A428834F62EA
4088WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4088.22739\TelnetONU1.2.5b\TelnetONU1.2.5b\factorymode.exeexecutable
MD5:D6544A7CD742A7BB37A7222E83FD9306
SHA256:6D75E5AA07A666E88DD45BEF12CED490AC89CF07FC3D7E03DECA3118E685788C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TelnetONU1.2.5b.zip