Malware analysis 4.zip Malicious activity | ANY.RUN

Add for printing

File name:	4.zip
Full analysis:	https://app.any.run/tasks/4961a045-784b-45bc-9aa0-1a56910b9069
Verdict:	Malicious activity
Analysis date:	May 06, 2019, 06:31:25
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	1F53FB6BCB7D0BF7DAD1015E94BB7B87
SHA1:	396C7EFEFAE47594625D93019EBCB77DB34633FC
SHA256:	BBA1A83AB7F2221FD58543D1D66AB90CEA11E878C6404CC752AA667228663AE7
SSDEEP:	49152:aegpr3fOsFY0/FdswvsYk+Gcwu/KKXwZ5q+aa5QOOX1gTagMo8awhzpNOCrMJv+G:afr3fOsFX/FdscbMNKXwTq+rOWPopN1Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - COSY V1 - Spotify Checker.exe (PID: 3984)
  - COSY V1 - Spotify Checker.exe (PID: 2224)
  - file_exe.exe (PID: 1704)
  - COSY V1 - Spotify Checker.exe (PID: 2180)
  - love.exe (PID: 1836)
  - Win32.exe (PID: 3140)
- Loads dropped or rewritten executable
  - COSY V1 - Spotify Checker.exe (PID: 3984)
  - SearchProtocolHost.exe (PID: 3216)
- Loads the Task Scheduler COM API
  - mmc.exe (PID: 1856)
  - schtasks.exe (PID: 2724)
- Uses Task Scheduler to run other applications
  - love.exe (PID: 1836)
- Changes settings of System certificates
  - Win32.exe (PID: 3140)
SUSPICIOUS
- Executable content was dropped or overwritten
  - file_exe.exe (PID: 1704)
  - WinRAR.exe (PID: 4004)
  - COSY V1 - Spotify Checker.exe (PID: 2224)
  - COSY V1 - Spotify Checker.exe (PID: 3984)
  - love.exe (PID: 1836)
- Starts CMD.EXE for commands execution
  - COSY V1 - Spotify Checker.exe (PID: 3984)
- Loads Python modules
  - COSY V1 - Spotify Checker.exe (PID: 3984)
- Creates files in the user directory
  - love.exe (PID: 1836)
- Starts itself from another location
  - love.exe (PID: 1836)
- Uses NETSTAT.EXE to discover network connections
  - cmd.exe (PID: 1972)
- Adds / modifies Windows certificates
  - Win32.exe (PID: 3140)
INFO
- Application was crashed
  - COSY V1 - Spotify Checker.exe (PID: 2180)
- Reads settings of System Certificates
  - Win32.exe (PID: 3140)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2019:05:05 07:12:22
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Combos.txt

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
4004	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\4.zip"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
3216	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255)
2224	"C:\Users\admin\Desktop\COSY V1 - Spotify Checker.exe"	C:\Users\admin\Desktop\COSY V1 - Spotify Checker.exe		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3984	"C:\Users\admin\Desktop\COSY V1 - Spotify Checker.exe"	C:\Users\admin\Desktop\COSY V1 - Spotify Checker.exe		COSY V1 - Spotify Checker.exe
User: admin Integrity Level: MEDIUM Exit code: 0
756	C:\Windows\system32\cmd.exe /c file_exe.exe	C:\Windows\system32\cmd.exe	—	COSY V1 - Spotify Checker.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
1704	file_exe.exe	C:\Users\admin\Desktop\file_exe.exe		cmd.exe
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0
1836	"C:\Users\admin\AppData\Local\Temp\love.exe"	C:\Users\admin\AppData\Local\Temp\love.exe		file_exe.exe
User: admin Integrity Level: HIGH Exit code: 0
2180	"C:\Users\admin\AppData\Local\Temp\COSY V1 - Spotify Checker.exe"	C:\Users\admin\AppData\Local\Temp\COSY V1 - Spotify Checker.exe		file_exe.exe
User: admin Integrity Level: MEDIUM Description: Spotify Checker Version: 1.0.0.0
2688	"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s	C:\Windows\system32\mmc.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1856	"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s	C:\Windows\system32\mmc.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 786

Read events

1 668

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2224	COSY V1 - Spotify Checker.exe	C:\Users\admin\AppData\Local\Temp\_MEI22242\bz2.pyd		executable
		MD5:EC741FFBCAF76B6045A73B49FC1A50BD	SHA256:C4778BF950CCAE643E6D9B42F5E2624CB2141BB4E8E341CEA8844AB35B9A73F5
2224	COSY V1 - Spotify Checker.exe	C:\Users\admin\AppData\Local\Temp\_MEI22242\msvcp90.dll		executable
		MD5:90D560C689F507489485DEDDAEFA3153	SHA256:BC53359AD6A8146B41DD3083462BC045ACEFE96E079282EA4A6DF21F87B5E9FF
3984	COSY V1 - Spotify Checker.exe	C:\Users\admin\Desktop\file_exe.exe		executable
		MD5:0BB87E53833306ABB1950EEDDB508820	SHA256:B13CB13936757B1476BCDF6AADE881672B7B426A6018F2D308BD5479D5F77731
2224	COSY V1 - Spotify Checker.exe	C:\Users\admin\AppData\Local\Temp\_MEI22242\select.pyd		executable
		MD5:54F519FBC33CCCE8408AFF7E8F07ADD7	SHA256:72A48C97570E10F2A52FD080AA78D312B5166C6EF20CCB858BA7A19D47EEE739
2224	COSY V1 - Spotify Checker.exe	C:\Users\admin\AppData\Local\Temp\_MEI22242\unicodedata.pyd		executable
		MD5:54B9007FA39C1837EA87BCF6B175D3B9	SHA256:ACDE1374475BD6295D8EDE0720BFCCE346D949AD302592C0DF0D4A7B1BF9B9AA
4004	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4004.31221\COSY V1 - Spotify Checker.exe		executable
		MD5:8238B5BE742EA1460544560516F1304F	SHA256:261ABF333AA01937E7EE01E8BB3846C55F919B6A8891AB30C21432B09DB8781D
2224	COSY V1 - Spotify Checker.exe	C:\Users\admin\AppData\Local\Temp\_MEI22242\output.exe.manifest		xml
		MD5:803233C765043F1F78ECB54967B39C9C	SHA256:FE210792A9054BF81B0C7A6E4EF1A0FFDF1F31A803FE4F3380EF1A8822D44A4B
4004	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4004.31221\Criminality.Helper.dll		executable
		MD5:0D50DEA884FA78B67C06FF9AEA5F0330	SHA256:2361ACAA7BAB686475605B0840427AF92A3FACA8C453E356AAA13ED85D40389F
2224	COSY V1 - Spotify Checker.exe	C:\Users\admin\AppData\Local\Temp\_MEI22242\msvcr90.dll		executable
		MD5:4FDC6EF163C587677AA196C3D17B8F5C	SHA256:C6C504830E7EFC3C6E2F3922E1500F5C3B732D13A321E1F30D9C75E1BE4AC303
2224	COSY V1 - Spotify Checker.exe	C:\Users\admin\AppData\Local\Temp\_MEI22242\_hashlib.pyd		executable
		MD5:AE1F3D94D27139D5A1BB8C6F1D9B9BA9	SHA256:68E9FF80F9A0759BB801816F439397615DC9BB8D9CFED534ACEF0BF09E520533

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3140	Win32.exe	185.209.23.138:5050	—	NovoServe B.V.	NL	unknown
3140	Win32.exe	104.20.209.21:443	pastebin.com	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
pastebin.com	104.20.209.21 104.20.208.21	shared

Threats

No threats detected

Add for printing

Process	Message
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn

General Info

4.zip

1F53FB6BCB7D0BF7DAD1015E94BB7B87

396C7EFEFAE47594625D93019EBCB77DB34633FC

BBA1A83AB7F2221FD58543D1D66AB90CEA11E878C6404CC752AA667228663AE7

49152:aegpr3fOsFY0/FdswvsYk+Gcwu/KKXwZ5q+aa5QOOX1gTagMo8awhzpNOCrMJv+G:afr3fOsFX/FdscbMNKXwTq+rOWPopN1Q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Loads the Task Scheduler COM API

Uses Task Scheduler to run other applications

Changes settings of System certificates

SUSPICIOUS

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Loads Python modules

Creates files in the user directory

Starts itself from another location

Uses NETSTAT.EXE to discover network connections

Adds / modifies Windows certificates

INFO

Application was crashed

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings