analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MW.zip

Full analysis: https://app.any.run/tasks/dbe2bae7-b026-414f-bc15-39e8d69cdeff
Verdict: Malicious activity
Analysis date: March 14, 2019, 20:57:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B62D33BE0CEB7E65267333941A19710F

SHA1:

292CC051FE0205CD00738E4D4EAA06AD4B33E89C

SHA256:

B160A40F9B2EE0D821D1F3423EAE452A096EBE6D755CDBDB6E388CE323DAFB72

SSDEEP:

12288:7yQo3SB2r/hlonASybLEsus8G+KetJlhiFD1cG:lkSYrWKIs8TuD17

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GoogleChrome.exe (PID: 3092)
      • GoogleChrome.exe (PID: 2120)
      • GoogleChrome.exe (PID: 2348)

    • Changes the autorun value in the registry

      • GoogleChrome.exe (PID: 2348)
      • GoogleChrome.exe (PID: 2120)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GoogleChrome.exe (PID: 3092)
      • GoogleChrome.exe (PID: 2348)
      • GoogleChrome.exe (PID: 2120)

    • Drop AutoIt3 executable file

      • GoogleChrome.exe (PID: 3092)
      • GoogleChrome.exe (PID: 2348)
      • GoogleChrome.exe (PID: 2120)

    • Starts itself from another location

      • GoogleChrome.exe (PID: 3092)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • GoogleChrome.exe (PID: 3092)
      • GoogleChrome.exe (PID: 2348)
      • GoogleChrome.exe (PID: 2120)

    • Starts CMD.EXE for commands execution

      • GoogleChrome.exe (PID: 3092)

    • Uses NETSH.EXE for network configuration

      • GoogleChrome.exe (PID: 2348)
      • GoogleChrome.exe (PID: 2120)

    • Creates files in the program directory

      • GoogleChrome.exe (PID: 2348)

    • Connects to unusual port

      • GoogleChrome.exe (PID: 2348)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2015:03:05 18:05:28
ZipCRC: 0x998989ad
ZipCompressedSize: 55483
ZipUncompressedSize: 55463
ZipFileName: GoogleChrome.a3x
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs googlechrome.exe googlechrome.exe cmd.exe no specs googlechrome.exe netsh.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MW.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3092"C:\Users\admin\Desktop\GoogleChrome.exe" C:\Users\admin\Desktop\GoogleChrome.exe
explorer.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 8, 1
2348"C:\GoogleChrome\GoogleChrome.exe" /AutoIt3ExecuteScript C:\GoogleChrome\GoogleChrome.a3xC:\GoogleChrome\GoogleChrome.exe
GoogleChrome.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 8, 1
2688"C:\Windows\System32\cmd.exe" /c start C:\GoogleChrome/GoogleChrome.exe C:\GoogleChrome/GoogleChrome.a3xC:\Windows\System32\cmd.exeGoogleChrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2120C:\GoogleChrome/GoogleChrome.exe C:\GoogleChrome/GoogleChrome.a3xC:\GoogleChrome\GoogleChrome.exe
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 8, 1
3180"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\GoogleChrome\GoogleChrome.exe" "GoogleChrome.exe" ENABLEC:\Windows\System32\netsh.exeGoogleChrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2332"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\GoogleChrome\GoogleChrome.exe" "GoogleChrome.exe" ENABLEC:\Windows\System32\netsh.exeGoogleChrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 603
Read events
1 365
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
30
Unknown types
21

Dropped files

PID
Process
Filename
Type
2984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2984.9163\GoogleChrome.a3x
MD5:
SHA256:
2984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2984.9163\GoogleChrome.exe
MD5:
SHA256:
3092GoogleChrome.exeC:\GoogleChrome\iibelieve.rtftext
MD5:BE02A4D6C89F3D068E9F9027F1653E09
SHA256:30301C7F9BFCBF28071E3D40F2DA5EF1D7E80D65594ADF78C69A4D2B0FC33DC0
3092GoogleChrome.exeC:\GoogleChrome\GoogleChrome.a3xa3x
MD5:6B2D901299179D2B5DF81CB8C4EE35C9
SHA256:9B42C396A67B56AABCA4CE9D9CD9839CF290C72F90E4B577E4318786221D0757
3092GoogleChrome.exeC:\GoogleChrome\menbuilt.rtftext
MD5:E30E9F2EFC771EEBAE5DC5AAC0CF2BCB
SHA256:44424CE8836384531EF827DC17FC0B6307271E3ECD6F48CE67F795B05D709A84
3092GoogleChrome.exeC:\GoogleChrome\printercarolina.jpgimage
MD5:98199076C723975EFF1B337DE979FF97
SHA256:95033BA877E83210F117F150BD278B4DD53C4FFD7FB2249D8B9FB71EDCF40ACF
2348GoogleChrome.exeC:\MozillaFirefox\GoogleChrome.a3xa3x
MD5:6B2D901299179D2B5DF81CB8C4EE35C9
SHA256:9B42C396A67B56AABCA4CE9D9CD9839CF290C72F90E4B577E4318786221D0757
2348GoogleChrome.exeC:\GoogleChrome\GoogleUpdate.lnklnk
MD5:A07BCE00C3A4F3A825D7E3CDEFAB8FC6
SHA256:448505D75118679BD24018BAEBF8CA1604F25BA0166152F2E406E9DD3603F99A
3092GoogleChrome.exeC:\GoogleChrome\commonterm.rtftext
MD5:17E0BC60921A1F413D4681EC8FAB104A
SHA256:12AC05694F9B300B0BF9846206BD71CCB92491B8BCC3E0E4B5BEE1ECFEC11D83
2348GoogleChrome.exeC:\MozillaFirefox\clearasia.pngimage
MD5:3A116016CEDEA238837BAA9AB60DEACF
SHA256:D3748F60B140B9A7A6228E19C378530B880111163A6575EDDE4B4CEACD99D041
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2348
GoogleChrome.exe
195.22.4.21:1212
dmad.info
Claranet Ltd
PT
suspicious

DNS requests

Domain
IP
Reputation
dmad.info
  • 195.22.4.21
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MW.zip