analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

loas-hesoo-787652670.zip

Full analysis: https://app.any.run/tasks/9f233c37-f112-48cd-a4b8-b01f9f755690
Verdict: Malicious activity
Analysis date: November 30, 2020, 06:16:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B1D82F8268F760CDE8C24B75648FA1FA

SHA1:

779471B9AA34A64E107A36EEB283C45C0B9DF832

SHA256:

B059705DC6CE9C502D2D2D373F719AD22DCF08EAA0C4EEF999AAD3B743E2654A

SSDEEP:

393216:ZSREC0bltzJP7pLNmkNu+5ujrg1pWRaUWEJYrSJq6icn:Yv0xtzxzu+5K29UtOqq6l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • loas-hesoo-787652670.exe (PID: 2976)
      • loas-hesoo-787652670.exe (PID: 2052)
      • wmfdist.exe (PID: 552)
      • VirtualDVW.exe (PID: 3696)
    • Drops executable file immediately after starts

      • loas-hesoo-787652670.exe (PID: 2976)
      • loas-hesoo-787652670.exe (PID: 2052)
      • loas-hesoo-787652670.tmp (PID: 3360)
    • Loads dropped or rewritten executable

      • VirtualDVW.exe (PID: 3696)
  • SUSPICIOUS

    • Drops a file with too old compile date

      • loas-hesoo-787652670.exe (PID: 2976)
      • loas-hesoo-787652670.tmp (PID: 3360)
      • loas-hesoo-787652670.exe (PID: 2052)
    • Executable content was dropped or overwritten

      • loas-hesoo-787652670.exe (PID: 2976)
      • loas-hesoo-787652670.exe (PID: 2052)
      • loas-hesoo-787652670.tmp (PID: 3360)
    • Drops a file that was compiled in debug mode

      • loas-hesoo-787652670.tmp (PID: 3360)
    • Creates a directory in Program Files

      • loas-hesoo-787652670.tmp (PID: 3360)
    • Drops a file with a compile date too recent

      • loas-hesoo-787652670.tmp (PID: 3360)
  • INFO

    • Application was dropped or rewritten from another process

      • loas-hesoo-787652670.tmp (PID: 3360)
      • loas-hesoo-787652670.tmp (PID: 1060)
    • Loads dropped or rewritten executable

      • loas-hesoo-787652670.tmp (PID: 3360)
    • Manual execution by user

      • loas-hesoo-787652670.exe (PID: 2976)
    • Creates a software uninstall entry

      • loas-hesoo-787652670.tmp (PID: 3360)
    • Creates files in the program directory

      • loas-hesoo-787652670.tmp (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: CaretVisible.exe
ZipUncompressedSize: 3000008
ZipCompressedSize: 2916667
ZipCRC: 0x09f882c6
ZipModifyDate: 2020:10:21 21:24:14
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe no specs loas-hesoo-787652670.exe loas-hesoo-787652670.tmp no specs loas-hesoo-787652670.exe loas-hesoo-787652670.tmp wmfdist.exe no specs virtualdvw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3116"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\loas-hesoo-787652670.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2976"C:\Users\admin\Desktop\loas-hesoo-787652670.exe" C:\Users\admin\Desktop\loas-hesoo-787652670.exe
explorer.exe
User:
admin
Company:
pasoft
Integrity Level:
MEDIUM
Description:
http://www.yburn.com
Version:
1.1.0.0
1060"C:\Users\admin\AppData\Local\Temp\is-KR3KC.tmp\loas-hesoo-787652670.tmp" /SL5="$3017A,11846826,50688,C:\Users\admin\Desktop\loas-hesoo-787652670.exe" C:\Users\admin\AppData\Local\Temp\is-KR3KC.tmp\loas-hesoo-787652670.tmploas-hesoo-787652670.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
2052"C:\Users\admin\Desktop\loas-hesoo-787652670.exe" /SPAWNWND=$20174 /NOTIFYWND=$3017A C:\Users\admin\Desktop\loas-hesoo-787652670.exe
loas-hesoo-787652670.tmp
User:
admin
Company:
pasoft
Integrity Level:
HIGH
Description:
http://www.yburn.com
Version:
1.1.0.0
3360"C:\Users\admin\AppData\Local\Temp\is-QVOM0.tmp\loas-hesoo-787652670.tmp" /SL5="$30172,11846826,50688,C:\Users\admin\Desktop\loas-hesoo-787652670.exe" /SPAWNWND=$20174 /NOTIFYWND=$3017A C:\Users\admin\AppData\Local\Temp\is-QVOM0.tmp\loas-hesoo-787652670.tmp
loas-hesoo-787652670.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.52.0.0
552"C:\Program Files\IrtualDVW\wmfdist.exe" /Q:A /R:NC:\Program Files\IrtualDVW\wmfdist.exeloas-hesoo-787652670.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Media Component Setup Application
Exit code:
0
Version:
9.00.00.2926
3696"C:\Program Files\IrtualDVW\VirtualDVW.exe" loas-hesoo-787652670.exeC:\Program Files\IrtualDVW\VirtualDVW.exeloas-hesoo-787652670.tmp
User:
admin
Company:
Ower Software Ltd
Integrity Level:
HIGH
Description:
AnyBurn
Version:
8, 1, 0, 3
Total events
664
Read events
634
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
0
Text files
26
Unknown types
2

Dropped files

PID
Process
Filename
Type
3116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3116.37076\CaretVisible.exe
MD5:
SHA256:
3116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3116.37076\loas-hesoo-787652670.exe
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-74SO2.tmp
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-JDFUP.tmp
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-V352J.tmp
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-SF00U.tmp
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-ER5GQ.tmp
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-3D2PH.tmp
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-KH63A.tmp
MD5:
SHA256:
3360loas-hesoo-787652670.tmpC:\Program Files\IrtualDVW\is-H0JBI.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info