analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.zip

Full analysis: https://app.any.run/tasks/1938b248-244d-4cc0-8cbd-b0c8fc73a799
Verdict: Malicious activity
Analysis date: September 18, 2019, 15:45:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E55AF15F1A919860E28DEA97EC1A8C28

SHA1:

560064C0B49DB159CBC1C708D34E4DF9144F3A2D

SHA256:

BF714D66F324D78DF85E5801D06352B599DC6999DD05F38529820F41B19147BD

SSDEEP:

48:1QLIq9yHPfeZoBUsWWN6lrQ/AlMKkEXdWid7kyOZkGeMEhIAOGzI9iwJ3LhUc:SMfWY6lrrlIEXBd7kyOjEqApI9iw1mc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2728)
      • EQNEDT32.EXE (PID: 2736)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2064)
  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3572)
      • WINWORD.EXE (PID: 2696)
      • chrome.exe (PID: 2064)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3572)
      • WINWORD.EXE (PID: 2696)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3572)
      • WINWORD.EXE (PID: 2696)
    • Reads the hosts file

      • chrome.exe (PID: 2064)
      • chrome.exe (PID: 3956)
    • Application launched itself

      • chrome.exe (PID: 2064)
    • Dropped object may contain Bitcoin addresses

      • chrome.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:09:18 15:43:27
ZipCRC: 0xb80d4ef2
ZipCompressedSize: 2588
ZipUncompressedSize: 8765
ZipFileName: 5053c05fe42e9687054d20918c95cbda525c8abde088019004594067f264c3b5.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
30
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs eqnedt32.exe winword.exe no specs eqnedt32.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3444"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3572"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\tko.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2728"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2696"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\tko.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2736"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2064"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
2880"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6b98a9d0,0x6b98a9e0,0x6b98a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2144"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3056 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3412"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,4177374532309656695,4390579237379237314,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=4215310554660908990 --mojo-platform-channel-handle=1012 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3956"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=992,4177374532309656695,4390579237379237314,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=9826012887672342704 --mojo-platform-channel-handle=1616 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 665
Read events
1 865
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
50
Text files
214
Unknown types
19

Dropped files

PID
Process
Filename
Type
3572WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA41.tmp.cvr
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.tmp
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.docx
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0000.docx
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.tmp
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.docx
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0002.docx
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{26ECC87B-65D0-4A83-9195-B1087B5056EF}.tmp
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR78B5.tmp.cvr
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:69A32734FE678E976F8CE4E2FB6C6E17
SHA256:B385C0C37B7A8C013A822735976B18992929767E58D360D88DDF7AC209E8DC46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
36
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3956
chrome.exe
GET
302
172.217.22.14:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
3956
chrome.exe
GET
200
173.194.188.102:80
http://r1---sn-4g5ednss.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=85.17.73.119&mm=28&mn=sn-4g5ednss&ms=nvh&mt=1568821638&mv=m&mvi=0&pl=24&shardbypass=yes
US
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3956
chrome.exe
216.58.208.35:443
www.gstatic.com
Google Inc.
US
whitelisted
2736
EQNEDT32.EXE
172.93.97.58:443
www.top10indiaairconditioner.com
Choopa, LLC
US
unknown
2728
EQNEDT32.EXE
172.93.97.58:443
www.top10indiaairconditioner.com
Choopa, LLC
US
unknown
3956
chrome.exe
172.217.22.14:443
apis.google.com
Google Inc.
US
whitelisted
3956
chrome.exe
216.58.208.46:443
ogs.google.com
Google Inc.
US
whitelisted
3956
chrome.exe
172.217.21.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3956
chrome.exe
172.217.22.4:443
www.google.com
Google Inc.
US
whitelisted
3956
chrome.exe
172.217.16.202:443
fonts.googleapis.com
Google Inc.
US
whitelisted
172.93.97.58:443
www.top10indiaairconditioner.com
Choopa, LLC
US
unknown
3956
chrome.exe
172.217.16.131:443
www.google.com.ua
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.top10indiaairconditioner.com
  • 172.93.97.58
unknown
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
accounts.google.com
  • 172.217.23.141
shared
www.google.com.ua
  • 172.217.16.131
whitelisted
www.gstatic.com
  • 216.58.208.35
whitelisted
fonts.googleapis.com
  • 172.217.16.202
whitelisted
ogs.google.com
  • 216.58.208.46
whitelisted
apis.google.com
  • 172.217.22.14
whitelisted
fonts.gstatic.com
  • 172.217.21.195
whitelisted
www.google.com
  • 172.217.22.4
whitelisted

Threats

No threats detected
No debug info