analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.gz

Full analysis: https://app.any.run/tasks/47f0a85d-5374-490e-847a-1240ad545d10
Verdict: Malicious activity
Analysis date: July 17, 2019, 10:57:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/gzip
File info: gzip compressed data, max compression, from Unix
MD5:

8F1F60117C1B3A97E19A3F70DB29A629

SHA1:

1B45E32EB175AA11A2561257BD0E07818AF16D4E

SHA256:

BB3DEB0D3EAF85B929305CA3847898AAECB6B42A50A80EFB132C2CC47B2CFD24

SSDEEP:

384:+o6LLiW35mKK9/9pHBy821uPzlpNpVoEa5xjn3ECUn0umB:+rLxpmrpHByb1CPA5xTNVl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr (PID: 2924)
    • Changes the autorun value in the registry

      • 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr (PID: 2924)
  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr (PID: 2924)
    • Executable content was dropped or overwritten

      • 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr (PID: 2924)
    • Changes tracing settings of the file or console

      • 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr (PID: 2924)
  • INFO

    • Manual execution by user

      • 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr (PID: 2924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

Compression: Deflated
Flags: (none)
ModifyDate: 0000:00:00 00:00:00
ExtraFlags: Maximum Compression
OperatingSystem: Unix
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.gz.z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2924"C:\Users\admin\Desktop\6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr" /SC:\Users\admin\Desktop\6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
346
Read events
323
Write events
23
Delete events
0

Modification events

(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2956) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.gz.z
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2924) 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Traybar
Value:
C:\Users\admin\AppData\Local\Temp\lsass.exe
(PID) Process:(2924) 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
4
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2956.11771\6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.gz
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp43A2.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp43A3.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp446F.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp4470.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp6FB7.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp7361.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp7362.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp7392.tmp
MD5:
SHA256:
29246a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scrC:\Users\admin\AppData\Local\Temp\tmp73A3.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
85
DNS requests
122
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
64.90.25.125:1042
Windstream Communications Inc
US
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
69.110.35.104:1042
AT&T Services, Inc.
US
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
216.97.88.9:25
unicode.org
CoreSpace, Inc.
US
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
129.81.213.115:1042
Tulane University
US
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
15.244.203.96:1042
Hewlett-Packard Company
US
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
17.151.62.66:25
nwk-aaemail-lapp01.apple.com
Apple Inc.
US
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
10.96.17.52:1042
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
172.16.2.218:1042
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
207.244.88.150:25
mx1-lw-us.apache.org
Leaseweb USA, Inc.
US
unknown
2924
6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596.bin.scr
98.137.159.24:25
mta7.am0.yahoodns.net
Yahoo
US
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared
apple.com
  • 17.172.224.47
  • 17.178.96.59
  • 17.142.160.59
whitelisted
nwk-aaemail-lapp01.apple.com
  • 17.151.62.66
whitelisted
unicode.org
  • 216.97.88.9
whitelisted
yahoo.com
  • 72.30.35.9
  • 72.30.35.10
  • 98.138.219.231
  • 98.137.246.8
  • 98.138.219.232
  • 98.137.246.7
whitelisted
mta7.am0.yahoodns.net
  • 98.137.159.24
  • 98.137.159.26
  • 74.6.137.65
  • 67.195.228.109
  • 74.6.137.63
  • 67.195.228.111
  • 67.195.228.110
  • 98.137.159.28
whitelisted
openoffice.org
  • 95.216.24.32
  • 40.79.78.1
whitelisted
mx1-lw-eu.apache.org
whitelisted
mx1-lw-us.apache.org
  • 207.244.88.150
whitelisted
onlineconnections.com.au
  • 192.254.190.168
unknown

Threats

No threats detected
No debug info