analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NeverExecute_full.zip

Full analysis: https://app.any.run/tasks/582a2c99-c7d9-473d-a68f-ec992ca8adc1
Verdict: Malicious activity
Analysis date: April 23, 2019, 23:15:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8FDBE051302788C37848C4F0E92CE355

SHA1:

310A45411971C240205F6AC6D8B7DBB975A0259E

SHA256:

BFD978EA2866A725F0CF981A3809A4EACF40829D86B41D99BEE30DEDE2FE0D37

SSDEEP:

196608:dG0oq4jGNQzIrxgL3/KcaMqMR0AcoD9eUKZM9PffpoI7:dGfqYmxKaGhK+9fG0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1944)
      • svchost.exe (PID: 328)
    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 328)
  • SUSPICIOUS

    • Creates executable files which already exist in Windows

      • WinRAR.exe (PID: 772)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 772)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:08:14 01:03:23
ZipCRC: 0x4a4e82f5
ZipCompressedSize: 880904
ZipUncompressedSize: 2106368
ZipFileName: libcrypto-1_1.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
772"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NeverExecute_full.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1944"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
328"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.15175.1
Total events
439
Read events
420
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa772.37330\svchost.exe23executable
MD5:091665A0A133E958E343C191B38F1B0C
SHA256:3B4C15C41296E94F6439CA9F40A30E83488F00F813667142C117E469E0774A58
772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa772.37330\libssl-1_1.dllexecutable
MD5:235BECA4C331599E057F74A311FD0ECF
SHA256:2DDFDF325449D31DCE777C4AD8831C5893B1CCAAF79236DBD00B6B844873F8DA
772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa772.37330\libcrypto-1_1.dllexecutable
MD5:E9C9E8B1EFD08B1A4B2812A3B1DB1711
SHA256:860241AAB98A7EA0DDB31D3A4F96AA4D209F8FAFC69BF3223DE13309F8194565
772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa772.37330\msvcr120.dllexecutable
MD5:034CCADC1C073E4216E9466B720F9849
SHA256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info