analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MDE_File_Sample_049f6ba19e587e9b22703200bbf37f7e7558a075.zip

Full analysis: https://app.any.run/tasks/7f79d0d7-1623-47a7-839a-18ca806bf721
Verdict: Malicious activity
Analysis date: May 20, 2022, 16:24:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

13235B9890B04FABEA9D246919E08E02

SHA1:

D89D41FB1318CE010BE1D36BFE4FA52A5CDF0E68

SHA256:

B62FF6B8ADFB18C4B3FA4A615A4CC3523FA4397377D6CA605455ACC0CB2336F4

SSDEEP:

12:5jjBjKNEDzkR9nXnvrj97mh0UjRpEGuE33EcI73hRPa2o0bP2B4jt3XIBix/GhDK:9Y59Xvrj97mXSbnPRU4jFZoDsUaBG8Sc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 116)
    • Checks supported languages

      • WinRAR.exe (PID: 116)
    • Starts Internet Explorer

      • WinRAR.exe (PID: 116)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2020)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3840)
      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2020)
    • Reads the computer name

      • iexplore.exe (PID: 3840)
      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2020)
    • Application launched itself

      • iexplore.exe (PID: 3840)
      • iexplore.exe (PID: 1000)
    • Changes internet zones settings

      • iexplore.exe (PID: 3840)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2020)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3840)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: paystub- chek- ucb.com[1875].html
ZipUncompressedSize: 1513
ZipCompressedSize: 761
ZipCRC: 0xa657a85c
ZipModifyDate: 2022:05:20 15:56:15
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MDE_File_Sample_049f6ba19e587e9b22703200bbf37f7e7558a075.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3840"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb116.5663\paystub- chek- ucb.com[1875].htmlC:\Program Files\Internet Explorer\iexplore.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1000"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3840 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2020"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3840 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
11 485
Read events
11 302
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb116.5663\paystub- chek- ucb.com[1875].htmlhtml
MD5:68A64810292A17DA75F73F22434375C0
SHA256:ABF862BE1A533F6B2A0479FEC0D463438C2285742DD83897886D978B46D71066
3840iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D85588DDF9551195182C309BCD97DAC5
SHA256:1C8B56033977F141FD3C34A2E259AC4E92C979C657D37C5986F6E225AF11036B
3840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3840iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:3C30D7BCF80D5E813481FAED227FE1CF
SHA256:B668944EB6A2A17319F82DF32C334B94AAC094530B44F3775DA780285B72C71D
3840iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:13B62ECFFEE65578241F9E0EB317E920
SHA256:5BE1060FF04F6A82AAC56DC9DF6B47666D0F2E7D7CC1B7B284220750E382588C
3840iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
3840iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:FA526918A211E850A6078FB1D00B2045
SHA256:396B94C667643AFA59D155EF4D812DA6F4D67DD50CEC97194E1CA3A1B3ECE3FE
3840iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB09.tmpxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3840
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3840
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?287a5ec2b6ab8b19
US
compressed
4.70 Kb
whitelisted
3840
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?897669da4f897b1b
US
compressed
4.70 Kb
whitelisted
3840
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3840
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3840
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3840
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3840
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
onedrivece12.blob.core.windows.net
suspicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service
Potential Corporate Privacy Violation
ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service
Potential Corporate Privacy Violation
ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service
No debug info