analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

netcrypt.zip

Full analysis: https://app.any.run/tasks/27f492e1-3772-4dc5-bbd5-e26fc96e090e
Verdict: Malicious activity
Analysis date: August 12, 2022, 19:11:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7AF58423CC466C0D43C597769A783864

SHA1:

0267B735E7859AD70708A815B75A21062967311C

SHA256:

B39CEE398C414014C806D73F27882BF179038B8EDD21863DE08EC83A8288D63F

SSDEEP:

3072:doCIpozTGAFnv8mavFQmnuPD/KxfhB+laYDzdI1Zru/L2J3R:doC0Dma+7KdLSSKL8h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2888)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2520)
    • Application was dropped or rewritten from another process

      • SimplePacker.exe (PID: 1436)
      • input.exe (PID: 3068)
      • output.exe (PID: 352)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2520)
      • SimplePacker.exe (PID: 1436)
      • input.exe (PID: 3068)
      • output.exe (PID: 352)
    • Checks supported languages

      • WinRAR.exe (PID: 2520)
      • SimplePacker.exe (PID: 1436)
      • output.exe (PID: 352)
      • input.exe (PID: 3068)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2520)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2520)
    • Reads internet explorer settings

      • SimplePacker.exe (PID: 1436)
  • INFO

    • Manual execution by user

      • SimplePacker.exe (PID: 1436)
      • input.exe (PID: 3068)
      • output.exe (PID: 352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2013:11:05 10:58:18
ZipCRC: 0xf4d2b21b
ZipCompressedSize: 4340
ZipUncompressedSize: 10240
ZipFileName: netcrypt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs simplepacker.exe no specs input.exe no specs output.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\netcrypt.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2888"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1436"C:\Users\admin\Desktop\SimplePacker.exe" C:\Users\admin\Desktop\SimplePacker.exeExplorer.EXE
User:
admin
Company:
@friedkiwi
Integrity Level:
MEDIUM
Description:
SimplePacker
Version:
1.1.0.0
3068"C:\Users\admin\Desktop\sample_output\input.exe" C:\Users\admin\Desktop\sample_output\input.exeExplorer.EXE
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
HelloWorld
Exit code:
0
Version:
1.0.0.0
352"C:\Users\admin\Desktop\sample_output\output.exe" C:\Users\admin\Desktop\sample_output\output.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Total events
3 096
Read events
3 055
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.16309\netcrypt.dllexecutable
MD5:61CF4C53C8FFC85B72BF7C1AC59B4708
SHA256:426E2DFB4BD502D8400E54B1C0879096F28CE6AD25196535F90B9719598FF2E9
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.16309\sample_output\input.exeexecutable
MD5:C7676E43AC86F02F5500C64FCC4479AC
SHA256:FA5329CFDE04A626F33C78B63CDBB46D4D46604C9E7A16F529DCF31D81571CDB
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.16309\SimplePacker.exeexecutable
MD5:388C6C08F78A89BBE224228757A7BFA8
SHA256:4A91548C6C3B584B30A4CA51E6C46982EF1A41220C588F57BB59AADDCBD3911C
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.16309\sample_output\output.exeexecutable
MD5:B8606EB6403B50C8266A758D9885A0A7
SHA256:C51F94FEAF051EC9913E4B4EE912FB773DCBDCF0B81042C43FE17442C3A0519A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info