analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

newupdate_password_2227.zip

Full analysis: https://app.any.run/tasks/153cc750-89a1-45d9-9ff3-1b7ea857759e
Verdict: Malicious activity
Analysis date: April 01, 2023, 15:34:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

902E6FEBB705BE9D5A81E80191C5256A

SHA1:

70097464419F45EDB280199E068B52158D724DCE

SHA256:

C299E07C1A2FD29A21C075A5467F1AF42ECE26452B1607F76EA6E500D69B77E7

SSDEEP:

98304:3fioND+IQgyWaU0bn3Phved6/MJdCLglwZ5l2wAjhK8O:qSfQbWaU43JevJdd42wA9c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • version_v317.exe (PID: 2544)
      • version_v317.exe (PID: 1876)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2240)
    • Actions looks like stealing of personal data

      • AppLaunch.exe (PID: 1624)
  • SUSPICIOUS

    • Reads the Internet Settings

      • AppLaunch.exe (PID: 1624)
    • Searches for installed software

      • AppLaunch.exe (PID: 1624)
    • Loads DLL from Mozilla Firefox

      • AppLaunch.exe (PID: 1624)
    • Reads browser cookies

      • AppLaunch.exe (PID: 1624)
    • Connects to unusual port

      • AppLaunch.exe (PID: 1624)
    • Checks for external IP

      • AppLaunch.exe (PID: 1624)
  • INFO

    • Checks supported languages

      • version_v317.exe (PID: 2544)
      • AppLaunch.exe (PID: 1624)
      • wmpnscfg.exe (PID: 3768)
      • AppLaunch.exe (PID: 2796)
      • version_v317.exe (PID: 1876)
    • Manual execution by a user

      • version_v317.exe (PID: 2544)
      • wmpnscfg.exe (PID: 3768)
      • version_v317.exe (PID: 1876)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2512)
    • The process checks LSA protection

      • AppLaunch.exe (PID: 1624)
      • wmpnscfg.exe (PID: 3768)
      • AppLaunch.exe (PID: 2796)
    • Reads the computer name

      • AppLaunch.exe (PID: 1624)
      • wmpnscfg.exe (PID: 3768)
      • AppLaunch.exe (PID: 2796)
    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 1624)
      • wmpnscfg.exe (PID: 3768)
      • AppLaunch.exe (PID: 2796)
    • Reads Environment values

      • AppLaunch.exe (PID: 1624)
      • AppLaunch.exe (PID: 2796)
    • Create files in a temporary directory

      • AppLaunch.exe (PID: 1624)
    • Reads CPU info

      • AppLaunch.exe (PID: 1624)
    • Creates files or folders in the user directory

      • AppLaunch.exe (PID: 1624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: icuin56.dll
ZipUncompressedSize: 1786368
ZipCompressedSize: 625601
ZipCRC: 0x504a8449
ZipModifyDate: 2022:01:24 02:15:04
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs version_v317.exe no specs applaunch.exe wmpnscfg.exe no specs version_v317.exe applaunch.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2512"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\newupdate_password_2227.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2240"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2544"C:\Users\admin\Desktop\version_v317.exe" C:\Users\admin\Desktop\version_v317.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\version_v317.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
1624"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
version_v317.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
2148734499
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\rpcrt4.dll
3768"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
1876"C:\Users\admin\Desktop\version_v317.exe" C:\Users\admin\Desktop\version_v317.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\version_v317.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
2796"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeversion_v317.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET ClickOnce Launch Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
12 100
Read events
12 050
Write events
44
Delete events
6

Modification events

(PID) Process:(2512) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2240) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
12
Suspicious files
2
Text files
430
Unknown types
364

Dropped files

PID
Process
Filename
Type
2512WinRAR.exeC:\Users\admin\Desktop\components\accessibility.xptxpt
MD5:1E178B64020F1CE4D8518C5B18B208A0
SHA256:A560EC424A3CAED79CB93049DE888A3843BC34F352B6BB27F10724E10AB690DB
2512WinRAR.exeC:\Users\admin\Desktop\components\ActivityProxy.jstext
MD5:18B159534F17E4ECFE583D0D9BB5DC40
SHA256:72D64C65530EA288072661271A0ABB3CFB56349CCC50B06C711641709D5581B7
2512WinRAR.exeC:\Users\admin\Desktop\components\amContentHandler.jstext
MD5:24B4A2E9F7AEEC416ADCC5417B9E1D23
SHA256:BCC9CFE21D5AFFB8F38AFF6DA5A8809AF1E5F0A0C4689224DF50E1FD849548ED
2512WinRAR.exeC:\Users\admin\Desktop\components\Activities.manifesttext
MD5:77983A71105B96C1D9C75E9DBB31AF26
SHA256:BBD1545C49F1A456BCA62B0C0A684C8FB2F802B60EE448BC45EC22B24941BD7C
2512WinRAR.exeC:\Users\admin\Desktop\components\ActivityWrapper.jstext
MD5:5B7E48E5EBB0312591F7AC2843BA4E8E
SHA256:FE510D8FC2EA30C085010E158067A26ABB31A0616E2BC7D48FDF374AF8E66D3D
2512WinRAR.exeC:\Users\admin\Desktop\icuuc56.dllexecutable
MD5:64B5B250BC5B84BCDEA9B48443D9B1B0
SHA256:DE30C27E7BBF31B4BEE34F1FEBF5A71DC2318420C4E0FA52135FE85A27FCAE65
2512WinRAR.exeC:\Users\admin\Desktop\components\addoncompat.manifesttext
MD5:5693979E6BD243F503621BD8A3E1076A
SHA256:414E9DB8B02035B3CDCE8C26D7360C5E92AFBE1D9588900B6E8DD1D141CCA258
2512WinRAR.exeC:\Users\admin\Desktop\components\ActivityRequestHandler.jstext
MD5:7E6626AEF21B0DB6878A1AAFD28D3D7E
SHA256:95C59A66FBC28D9B13645B9B2CE656D4721272FF8D67E1177201504E059B41E4
2512WinRAR.exeC:\Users\admin\Desktop\components\amWebInstallListener.jstext
MD5:A8281CCC8C3C6850709546D2E6AE733C
SHA256:C0D1A9D9DF3640080AC06D2F908A07FF29362A6B91C6989034EA6CCCDA708F2C
2512WinRAR.exeC:\Users\admin\Desktop\components\ActivityMessageConfigurator.jstext
MD5:AA156D59F227CCDB14D7E57610EA4E09
SHA256:5EB82F1263629746E167ED91B3C12D51AAE1408F62F405170A8943759D15F525
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1624
AppLaunch.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
286 b
shared
1624
AppLaunch.exe
POST
200
185.220.35.84:5002
http://185.220.35.84:5002/uploadfile
RU
text
7 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1624
AppLaunch.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
malicious
1624
AppLaunch.exe
185.220.35.84:5002
LLC Vpsville
RU
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
1624
AppLaunch.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1624
AppLaunch.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1624
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
1624
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
1624
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
1624
AppLaunch.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
3 ETPRO signatures available at the full report
Process
Message
AppLaunch.exe
CLR: Managed code called FailFast without specifying a reason.
AppLaunch.exe
CLR: Managed code called FailFast without specifying a reason.